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he 2 rksh p as held in the c nference center f the iss ederal 

Institute f echn 1 g ( H) at nte erita, ant n icin , arch -24, 

2 . 

he f r alis as pr p sed t gether ith the thesis that it is suitable 
t del arbitrar c puter s ste s n arbitrar abstract! n le els. s ha e 
been successful! used t anal e and specif ari us hard are and s ft are 
s ste s including nu er us c puter languages. 

he ai f the rksh p as t bring t gether d ain-e perts, using s 
as a practical specificati n eth d, and the rists rking ith s and related 

eth ds. In additi n the rksh p ser edasaf ru n the retical and practical 

t pics that relate t s in a br ad sense, hree tut rials including hands- n 

e perience ith t Is ere rgani ed b . lasser and . del astill ( n the 

t pic “ pecif ing ncurrent ste s ith s”), H. iiss and N. hankar 
( n the t pic “ ut rial Intr ducti nt ”), . nlauff, . . utter, and 

. ierant ni ( n the t pic “ e el ping ain pecific anguages”). 

In resp nse t the rgani ati n c ittee’s call f r papers, 3 papers ere 
sub itted, each f hich as independent! re ie ed b f ur e bers f the 
pr gra c ittee. his lu e presents a select! n f 2 f the refereed papers 
and t rep rts n industrial applicati n at ie ens and icr s ft 

esearch, t gether ith c ntributi ns based n the in ited talks gi en b 
lass ( ni ersit f ichigan), . "rger ( ni ersit f isa), . s ( ni er- 
sit f arlsruhe), . dersk ( iss ederal Institute f echn 1 g ( ), 

ausanne), . eisig (Hu b Idt ni ersit erlin), and N. hankar ( I In- 

ternati nal). he intr ducti n ritten b . "rger gi es an er ie n 
research fr the beginning t the present. 

n behalf f the pr gra c ittee, e uld like t e press ur apprecia- 
ti n t the si lecturers h accepted ur in itati n t speak, t the tut rial 
rgani ers, t all the auth rs h sub itted papers t 2 and t the 

entr tefan ranscini ( ) at nte erita and the 1 cal rgani ers h 

ade the rksh p p ssible. 
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’2 rks p arks f r t t d t 

transit! n fr its ad 1 sc nc t t aturati n p ri d. g als ic 
a bnaci dpnn fr nti rs and put us int t p siti n t 
bark n n c all ng s. 

trttt ft tit tr 

t a lo g a si c t pri g of 9 7 Y ri r ic isit d isa 
a d, i a s ri s of 1 ct r s o t f da tal probl of s a tics of progra - 
i g la g ag s, pr s t d t orld pr i'r of t co c pt of s (t 
call d d a ic/ ol i g str ct r s/alg bras). H ga t ai oti atio : r - 

CO sid r ri g’s t sis i t lig t of t probl of s a tics of progra s. H 

ill strat d is id as it a pi s, i partic lar sp ci catio s of ri g ac i- 
s, stack ac i s a d so ascal progra s. H ga also proofs of si pi 

prop rti s of t s progra s. is at rial app ar d a ar lat r i [22]. It as 

pr c d d b t rst app ara c of t sis, i broia94tc- 

ical r port [2 ], a d f 11 sp 11 d o t i a otic prstdo a 3 of 95 
to t rica at atical oci t [2 ]. It as acco pa i d b t rst 

r al- orld applicatio , a It d a ic s a tics of -2 [26], a d 

s ortl aft r ards folio d b t tr at t of co c rr c s d to d - 

t s a tics of [27], ic as pr s t d b r ic i a ot r 

s ri s of 1 ct r s i isa i a 99 . i c t t co c pt of bstract tat 
ac i s ss tiall r ai d stabl [23,24] a d trigg r d dr ds of p blica- 
tio s i ario s do ai s i cl di g it od 1 t or , co pi it t or a d 

ro s ar as of appli d co p t r sci c , i partic lar progra i g la g - 

ag s, databas q r la g ag s, protocols, arc it ct r s a d b dd d co trol 

soft ar [ ]. 

rst att pts to p t t bold t sis to t t st r foe ss d 

o t probl of t da ics of progra i g la g ag s k o to s, a d 

ca fro a p r 1 t or tical backgro dad ad o practical, 1 t alo 
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ab ut r s urc b unds, as aband n d b cans it b 1 ngs t gar bag c 11 cti n 

rat r t an t ig -1 1 sp cificati n. t c nical ariati n as lat r intr due d 

c nc rning t tr at nt f n n d t r inis and f inc nsist nt updat s ts. 

ur c a . ( ds.) , , pp. — , 
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2 . "rg r 

i d strial, p ri c . at ca o t of t at is a practical t od ic 
ploit d s for t d lop t of a f 11-fl dg d r t approac ic 

abl d s to rigoro sld adaalst daics a tics of r al-lif 
progra i g la g ag s a d t ir i pi tatio o irt al or r al ac i s. 

0 , t CO r d progra i g paradig s i cl d t paradig s of all t 

ajor od r progra i g la g ag s. t od of co str cti g gr 

s, d scrib d i [5] r t a pri ar od 1 (rat r t a gro d od 1) 
as s d, pro d to b at r a d as c os for sta dardi atio p rpos s b 
t I t r atio al ta dards rga i atio , s [ ,9, , 2,3], adbt Itra- 

tio al 1 CO icatio io , as r port d i [ 9] a d i t s roc di gs 

[ ]• 

t t t st p, t t od as tri d o t for t sp ci catio ad ri - 
catio of ac i arc it ct r s a d protocols. t all t is as folio d b 
applicatio s to soft ar gi ri g. H r o starts b co str cti g & gr 

for a propos d (or, i t cas of r rs gi ri g, for a isti g) 
soft ar s st . ro g t tir d sig proc ss, o r s a d/or coars s 
t od Is li ki g t ig 1 1 od Is i a trac abl a d i sp ctabl a to 

c tabl cod ; s t s r i [6]. 

k for t s rprisi gl fast s cc ss of t t od li s i (a) t to 
CO stit ts of t otio of , a 1 b i g s r ( bstract tat ) a d 
r i ( bstract ac i ) (s t s ctio s r i s + s r 

i [6] for t istorical r co str ctio of t co fl c of t s 

t o CO c pts ) a d (b) i t s st atic a it off rs for practical soft ar 
d lop t to s r i r r s. 

s r r r of s alio so , o o sid , to tailor t o- 

d Is to t ds or p rpos s of t d sig , a d, o t ot r sid , to ak t ir 

rigoro s a al sis f asibl . latt r is d to t fr do to s t os proof 

t ods ic ar appropriat for t pr s t disco rs . I ot r ords, t ab- 

stractio c a is , b ilt i to t otio of , p r its o to ak r t 
old dr a of 11 doc t da d co trollabl i rare ical s st d lop t. 
s s to do t folio i g: 

ak t fait f 1 ss of t od Is, it r sp ct to t d sig i t tio s, 

c ckabl b dir ct i sp ctio (falsi abl i t opp ria s s ). is olds 

i partic lar i r q ir ts gi ri g for t fait f 1 ss of t gro d 

od 1 it r sp ct to t i for all gi r q ir ts. fait f 1 ss 
b CO sc ckabl b t applicatio do ai p rt o c a od 1 is 

t r (s [ 6]). 

1 k, b i rare i s of st p is r ts, t ig -1 Id itio i a 

tra spar t a to its i pi tatio .Hr ac r t st p is s ppos d 

to r fl ct d sig d cisio so a ts to doc t for f t r s , .g. for 

ai t a c p rpos s or for c a g s b t sio s a d odi catio s. 

N tic t at t abstract ac in is diff r nt fr t fa iliar abstract ac i- 

n s. It as built-in parall lis ic all s n t abstract fr irr 1 ant s qn n- 
tiali ati n. 
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ak t (at atical, possibl ac i c ck d) j sti catio of t cor- 
r ct ss of a CO pi d sig f asibl . s off r t c ssar rigoro s 
fra ork for t a al sis of r -ti prop rti s, at t appropriat 1 1 

of abstractio , ic alio so to pro t at t i pi tatio co for s 

to t ig -1 1 sp ci catio . 

p r r r of s pro id s a s ffici t basis for trig 

t d itio s i to c tabl od Is. s ca b s d for ig -1 1 alidatio 

of s r sc arios prior to codi g or of t st b ds b a s of tal or ac i 
dri p ri ts. is 1 ckil br aks it t still id 1 Id traditio al 

i t at sp ci catio s s o Id b , or ar b d itio , o - c tabl . 

s p r r r s is i corpora! d i to t t c iq s 

pro id d b t t od for co str cti g diff r t s st i s a d li ki g 

t i to i rare i s of s st 1 Is. H r ar t ajor soft ar d lop t 

CO c r s s st aticall s parat a d r co bi , aki g i i r 

t ai t odical pri dpi , a d it 1 d s r far. 

s paratio of ort ogo al d sig d cisio s is t ost i porta t o i 
practic . It is ad possibl b t ost g ral abstractio a d r t 

capabiliti s of s, a d it is oti at d b t c ssit to k p t d sig 
spac op as lo g as possibl a d to str ct r it, for “d sig for c a g ” 
a d for od lar d lop t. 

s paratio of d sig fro a al sis corr cts t lo g sta di g traditio 

of id tif i g “rigoro s” it “for ali d i logic” . is traditio is o of 

t r aso s t so call d for al t ods a ot r all ad a stro g 
i pact o practical soft ar d lop t. 

s paratio , it i t a al sis, of p ri tal alidatio fro at - 
atical ri catio is possibl it s b ca s o c t od Is 

a b ad c tabl , t ca b s d for si latio . si latio 
of a ig r-1 1 od 1 ca b p rfor d prior to riti g t al cod . It 

ca also a c t sti g t cod , so t at t corr spo d c of t i pi - 

tatio to t abstract sp ci catio ca b c ck d. 
s paratio of diff r t d gr s of d tail it i ri catio alio so to 
adapt t j sti catio of a d sig to t c rr t d lop t stag . s 
gi t a s to diff r tiat j stif i g a d sig to do ai p rts fro 

j sti catio i t r s of c a ical r aso i g s st s. rt r, o s o Id 

disti g is b t it racti logical s st s a d f 11 a to at d tools 

lik od 1 c ck rs or a to atic t or pro rs. 

s paratio of at atical co c r s it i ri catio .or a pi , 

o a a t to split t proof of a prop rt for a co pi s st i to 
t r st ps, a 1 : 

• pro for a abstract od 1 of d r a appropriat ass ptio 

• r to so t at i pi ts corr ctl , 

• pro t at satis s t ass ptio 




4 . "rg r 

p ri c s o s t at it is ot o 1 asi r to pro prop rti s for co pi 

s st s i t is a , b t t is splitti g of proof obligatio s oft is t o 1 

k o a to s o t at a r -ti s st orks t a it is s ppos d 
to. c aract ristic a pi ar t -bas d proofs of t corr ct ss of 

CO pilatio sc s [ 3, , 7] a d t i pi tatio of t os sc s b 

pro abl corr ct r al-lif co pil rs, a probl ic is addr ss d i t s 

roc di gs. t a , coll cti g s c j sti catio al id c i Ids a 

i t r sti g b prod ct: a d tail d a al sis of t d sig its If. 

ost oft s li s of r s arc a d pri cipl s r pr s t, i br o, air ad 
at t rst i t r atio al orks op Id as arl as 994, as part oft II 

orld o p t r o gr ss i Ha b rg, r a [3 ]. It o g t applicatio s 

ic app ar d t r r li it d b o r acad ic p ri c a d r larg 1 

oti at d b a ffort to criticall t st t t sis, it is ot i cid tal t at 

rig t fro t b gi i g, b aki g good s of t fr do of abstractio 

off r d b t CO c pt, r at rail 1 d to “s parat a d co bi ” 

d sig 1 Is, d sig a d a al sis, ri catio a d alidatio , a d d gr s of 

d tail i ri catio . o c r i g alidatio , 1 t s ot t at t rst tools for 

aki g s c tabl dat back to 99 ; s t rolog-bas d co pil r for 
s g lika Kapp 1 d lop d i [29], to c t s for 

[ ], a d t ic iga i t rpr t r tio d i [23] . 

1 5 ars lat r, at t orks op ic as Id as part of t 

I t r atio al or al t ods o f r c ’99 i o lo s , ra c ■*, o ca 
obs r (s agai t s r [6] for d tails) t at 

t t or of s is ric 1 d lop d, 

t applicatio s i cl d id striall s cc ssf 1 sta dardi atio a d soft ar 
gi ri g proj cts, so of ic b co p blicl isibl for t rst ti 
i t s roc di gs [ 5,4], 

t r is a prolif ratio of diff r t tools , ost of t d lop d i acad - 
ia, for bot t p ri tal alidatio a d t ac i s pport d ri- 
catio of s, pro idi g c tio c a is s for s ( ia i t rpr - 
tatio or co pilatio ) a d li ks to ri catio s st s lik , KI a d 
od 1 c ck rs. 

H r is at i Huggins r t t n un 4, 2 , ab ut t d tails f t 

ist r : “Yuri taug t a c urs in pr gra ing languag d sign at ic igan during 
t all f . f c urs , intr due d s in t class. r s arp ung 
und rgraduat na d n Harris n r t a bar -b n s int rpr t r f r s in 
I in a k nd and distribut d it t t class. Yuri as i pr ss d n ug it 
Harris n t at ir d i t rit a full-fl dg d int rpr t r, t is ti in 

n built t c r ft int rpr t r in a - un . 1 1 at p int t int rpr t r 

as and d r t , and I rk d n it f r 3 ars r s , finis ing up t r st 
f t unfinis d busin ss at t at ti .In 4 d Ip nt as and d r t 
ag u ani, rk d n it f r a c upl f ars...”. t add t at ag u’s 

task as t upgrad t int rpr trfrn-trad st ulti-ag nt s. 

In b t n, rks ps ad b n Id in ad rb rn ( a 6), ann s ( un 

7, un ) and agd burg ( pt b r ). 
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11 of t s t s ar r fl ct d i t ric progra of ’2 . s 

roc di gs, ic co stit t t rst book tir 1 d ot d to s, doc - 
t at as b ac i d i t rst d cad aft r t for latio of t 
CO c pt. s CO r atio of o r co ictio pr ss d air ad at t 
rst orks op i 994, a 1 t at (parap ras d) “t traordi ar po- 

t tial oft t od ill c a g drasticall t i d strial f t r of for al 

sp ci catio s” [5, pg.393]. 



r ti rs 

p ri c acc lat d it t co c pt, a d it t t od ic 

as b d lop d for its s , did c a g t a t i k abo t ig -1 1 

soft ar d sig a d a al sis. No a to act ali t is isio to ak 

it ork for stablis d soft ar d lop t discipli s, at a larg seal . 
ac i ts of t last d cad op fro ti rs a d p t s i to t positio 

to fac t c all g s. 

ro g t t si od li g, alidatio ad ri catio ork of 

t past d cad , t t sis as p ri tall co r d. t t is ar 

bro g t sat or tical pla atio of t obs r d p o o , a 1 ia 

a proof [25] t at t s q tial rsio of t t sis folio s fro t r f da- 

tal s st t or a io s. c stablis d, t t sis alio so to dra 
CO cl sio s of practical i porta c , as is ill strat d b a a pi i t s 

roc di gs [7]: t t sis g ara t s t at t r is o loss of g ralit i s b- 

stit ti g t f da tal b t ag co c pts of actio a d acti it b t 

at aticall rigoro s co c pts of st p a d r . It s s t at i 

[3 ,2] t a i gs of actio /acti it r i t tio all 1 ft sp ci d, 
a 1 to 1 a t spac of possibl i pi tatio s as op as possibl . t 

t is as ac i d at t pric of aki g it diffic It to co trol t i plicatio s 

t CO c pts a it CO t t of t t-dri r i sc , 

i partic lar co c r i g t possibl ro s a d st d it/ tr actio s, 

CO i g t ro g i t rr pts, adcocrigt la c ad abortio of i t r al 
acti iti s. 

t practical sid a to tak ad a tag of t p ri c , acq ir d 
it b ildi g tools for c ti g s, to d lop a tir tool ir 
ic is also i d striall satisfactor . It as to s pport t diff r t acti iti s 

of d i g, tra sfor i g (b r ts a d b cod g ratio ) a d a al si g 

od Is (b t sti g, ia is ali atio s pport d si latio , a d b ri - 

catio ) . tool iro t as to abl s to capt r t d sig k o 1 dg 
i a rigoro s, 1 ctro icall a ailabl a d r sabl a , a d to ac i t is goal 
it st b i t grat d i to stablis d d sig flo s a d t ir tool iro ts. 
i t gratio pot tial of s, as a i rsal od 1 of co p tatio ic 

n I as rking n t is intr ducti n, a ssag fr r f. Ig r 1 i , f 
t. t rsburg tat ni rsit , arri d: “ n f stud nts, ndr s , as 

ritt n an int rpr t r. It is i pi nt d as an ja a-appl t d sign d t run 

und r an int rn t-br s r (it as b n t st d und r I 5. and N 4.7).” 
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is 11 stablis d b t acc lat d p ri tal id c a d b t t o- 
r tical pla atio a b o for t t sis, is Ipf 1 to capt r 

t o rail b a ior of a co pi s st b co bi d s of at r rigoro s 

d scriptio s ar appropriat ad a dator i stablis d d sig approac s 

(static, d a ic, f ctio al, stat -bas d, obj ct-ori t d, tc.). 

is is a diffic It a d probabl lo g a to go, “a ridg alk b t fr do 

a d discipli , cr ati it a d patt r ori t d d sig , g ralit a d sp ciali a- 

tio , pr ssabilit a dli itatio sb tools pport” [6]. t it is ort t ffort. 

H r ar so a o g ot r c all gi g probl s r I s a larg pot tial 
for fr itf 1 ploitatio of t t od. 

If s cc d to CO str ct paradig atic a d para t ri d co po- 
ts a d to tract (d )co positio t c iq s t at ca b ad a ailabl 

i librari s, t “cod 1 ss” for of progra i g ill Ip porti g ap- 

plicatio progra s fro o platfor or la g ag to a ot r a d ca 1 ad 

to fr itf 1 applicatio s for pi g-a d-pla soft ar t c olog . 

If s cc d to ploit s for d i g a d i pi ti g t ods for 

g rati g t st s it s fro ig -1 1 sp ci catio s, t is ill t r a dark a d 

at pr s t o r 1 i g part of soft ar d lop t i to a i t 11 ct all 
c all gi g a d t odologicall 11 s pport d task of or o s practical 

al . I d d si g so ca sol t cr cial a d ss tiall cr ati 

part of t st cas s 1 ctio , gi t at t is s 1 ctio is dri t picall b 
appplicatio do ai p rt k o 1 dg a d t s ca b for lat d si g t 
gro d od 1. i ilarl t gro d od 1 s pports sol i g t oracl 

probl of t sti g: t p ct d o tp t, ic as to b co par d it 
t c tio o tp t, ca b d d si g t gro d od 1 sp ci catio 

( ic is i d p d t of t progra i g la g ag r t s st ill 

b cod d)®. 

If ploit s to a c c rr t ( ostl sig at r ori t d) soft ar 

arc it ct r d scriptio t c iq s b addi g to t str ct ral d itio s 

also r 1 a t s a tical co t t, ill sol a id 1 f It d for b ildi g 
r liabl r co g rabl ad i r i r i r s 

[2 ]. 

If s cc d to ploit t ato ic tra sactio at r of t otio of 
st p to od 1 practicall s f 1 patt r s for co icatio ads c ro i a- 
tio of Iti-ag t s, t picall bas d o s ar d or or o ssag 
passi g, t ill CO trib t to sol a cr cial probl of distrib t d 

CO p ti g. 

t t or tical sid a od 1 a d a proof t or of s ar d d. 
d d itio s ic capt rad act practical r t sc s 

a s d it s cc ss for s, tog t r it s f 1 proof pri cipl s ic 
ca b b ilt i to stat -of-t -art c a ical ri catio s st s (for so st ps 

i t is dir ctio s t co trib tio s to a d od 1 c cki g i t s ro- 

c di gs a d [32, 4]). proof t or ds o Id all iat t ri catio 

ffort CO t r d i practical applicatio s, a 1 b off ri g str ct ri g a d 
la ri g of proof obligatio s ic a oid t bottl ck of a priori d 1 Is 

si ilar r ark appli s als t static t sting (c d insp cti n) 
f r ulat t pr p rti s t b c ck d. 
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of o r 1 i g proof d tails. d to d t rig t a to ploit t o- 

tio of o itor d (r al- al d) f ctio for co cti g t discr t orld 

to t CO ti os orld of co trol t or . d to Ip i b ildi g od Is 

for obil CO p ti g. badl d to tract t i r t obj ct ori t d 
f at r s of s, ic ar isibl it co c pt of ag ts a d of t ir 
stat , to ak t plicitl ads tacticall a ailabl , adapt d to stablis d 

obj ct-ori t d progra i g t c iq s. 

s roc di gs co tai ro s co trib tio s r t tio d is- 

s s ar rais d a d t s co stit t a good poi t of d part r to Ip sol i g t 
c all gi g probl s ic ar aiti g for s. 

f r s 
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I tr cti 

e p rpose of t is paper is to describe so e connections bet een t e t eor 

of abstract state ac ines ( ’s) and concepts fro p re at e atics. ese 

connections are of t ree general sorts. 

irst, t ere are direct ses of at e atical concepts in ’s. ell kno n 
instance of t is is t e se of str ct res, in t e sense of rst-order logic, in t e 
ver de nition of ’s. less ell kno n instance is t e se of interpretations, 
also in t e sense of rst-order logic, to describe transitions of ’s as ell as 
certain sorts of si lations. 

econd, t ere are odi cations of at e atical concepts, adapting t e 
to t e p rposes of co p tation t eor and ’s. s an e a pie of t is, e 

disc ss t e analog of t e set-t eoretic concept of per tation odel. 

inall , t ere are analogies bet een ’s and so e aspects of p re a- 
t e atics. In t is connection, e disc ss t e Itifaceted p ilosop ical iss e 
of “ niversalit o ’s provide a niversal fra e ork for descriptions of 
algorit s in t e sa e sense t at set t eor provides a niversal fra e ork for 
at e atical proofs? In t is connection, e also disc ss t e val e of e plicit 
for ali ation and t e role of de nitions. e co ent brief! on possible alter- 

native “fo ndations” based on, for e a pie, ordered lists or Itisets instead of 
sets. 

e also disc ss t e iss e of “objects ose identit doesn’t atter,” ic 
arises in connection it t e import r les of ’s and also in vario s conte ts 
in p re at e atics. 

* r parati f t is pap r as partial! supp rt d a gra t fr icr s ft rp - 

rati . pi i s pr ss d r ar , r, tir 1 

ur a . ( ds.) pp. — 

O pr g r- r ag r d rg 
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t . 1 1 ank t e organ! ers of t e onte erita conference for 
inviting e to present t e talk on ic t is paper is based. I also t ank Y ri 
revic for is s ggestions for i proving t is paper and for an elpf 1 and 
infor ative disc ssions abo t ’s and ot er aspects of co p ter science. 

tr ct res I terpret ti s 

ro t e ver beginning, t e concept of abstract state ac ines as been closel 
linked to p re at e atics. Indeed, one of t e central ideas is to odel states of 
CO p tations as str ct res in t e sense of at e atical logic, not er central 
idea is t at an progra describes one step in a co p tation, not t e entire 
iteration, eca se of t is, t e progra s t e selves correspond to a fa iliar 
concept fro rst-order logic, t at of interpretation. 

Interpretations of one vocab lar or t eor in anot er ere introd ced in 
[ 7] for t e p rpose of ded cing ndecidabilit of an t eories fro essential 
ndecidabilit of one t eor . ee also [ , ection 4.7], ose for lation e 

folio ere. In general, an interpretation of a vocab lar T in a t eor T ( it 
vocab lar TV) consists of 

a nar predicate C/ in TV, 

for eac f notion s bol F of T a f notion s bol F/ of Tt, and 

for eac predicate s bol F of T a predicate s bol Pj of Tt (eq alit does 

not CO nt as a predicate s bol ere b t as a logical s bol), 

sc t at it is provable in T t at [/ is none pt and closed nder all t e F/’s. 

s, given a odel M for T, e obtain a str ct re for T b taking as its base 
set tee tent in M of [/ and as its f notions and predicates t e (restrictions of 
t e) interpretations in M of t e corresponding s bols of T^. e concept of 
interpretation is often e tended b sa ing “interpretation in T” en one reall 
eans “interpretation in an e tension b de nitions of T.” en U, F/, and 
Pi need not be pri itive s bols of t e vocab lar Tt h t co Id be given b 
for las in t at vocab lar . ( or istorical acc rac , I s o Id ention t at t e 
de nition of “interpretation” in [ 7] alread incl ded e tensions b de nitions 
b t did not incl de t e nar predicate U; t e latter as treated separatel 
nder t e na e of “relativi ation.”) 

onsider t e special case of an interpretation ere t e t eor T as no 
a io s (so t e interpretation can be applied to arbitrar T^-str ct res), ere 
T = Tt, and ere U is identicall tr e (so appl ing t e interpretation doesn’t 
c ange t e vocab lar or t e base set of a str ct re). e transfer ations of 
T-str ct res obtainable b s c transfer ations are j st t ose obtainable b 
e ec ting one step of an it vocab lar T, provided t e doesn’t 

create ne ele ents and is non-distrib ted. (In t e distrib ted case, t e interpre- 
tations s o Id be restricted so t at t e steps t e describe can eac be e ec ted 
b a single agent.) 

ro t is point of vie , one co Id sa t at an is “j st a special sort 
of interpretation,” b t t e ord “j st” ere is nj st. o g for all t e 
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sa e, ’s are intended to be sed q ite differentl fro interpretations: n 

is to be applied iterativel (for a n ber of steps not s all kno n in 

advance), or interpretations in general, t ere is a notion of co position, b t 

onl interpretations fro a vocab lar (or t eor ) to itself can be repeated 

arbitraril often. 

It a be note ort t at, in t e correspondence bet een ’s and inter- 
pretations, t e seq ential ’s correspond to q anti er-free interpretations. 

s, t e sa e restriction is q ite nat ral fro bot t e co p tational and t e 
logical points of vie . 

an interpretations contrib te an t ing to o r nderstanding of ’s? In 
a sense, t e alread did, at least if one considers interpretations in a generali ed 
sense t at as beco e co on in odel t eor . ere (folio ing an idea t at 

I believe as introd ced b ela ), one ore or less a to aticall enlarges 
str ct res to incl de, in addition to t eir act al ele ents, 

t pies of ele ents and 

eq ivalence classes it respect to de nable eq ivalence relations. 

ee for e a pie t e M constr ction in [ 3, page ]. en interpretations can 
se t ese additional ele ents; t s for e a pie t e standard de nition of t e 
integers in ter s of nat ral n bers (as eq ivalence classes of pairs) a o nts to 
an interpretation, o e of t e central ideas and res Its of [2] rst appeared, in 
notes of ela , in t e conte t of interpretations of j st t is sort. ( e eren’t 
e plicitl called interpretations, b t t e infl ence of M as visible.) ater, 

t is aterial as clari ed b e pressing it in ter s of ’s. e distinctive 

set-t eoretic conte t of [2] as otivated, at least in part, b t e desire for a 
nat ral fra e ork in ic t pies and eq ivalence classes are easil andled. 

ig t interpretations contrib te so et ing ore to t eor ? at ab- 
o t interpretations bet een different vocab laries, ic are t erefore not itera- 
ble? er aps t ese ill provide a sef 1 point of vie for s c operations as 
setting p an initial state for an . Often t e inp t to a co p tation is onl 
part of at s o Id be present in t e initial state of a co p tation. dding t e 
e tra aterial to convert t e inp t into t e initial state is, in so e cases, an 
interpretation in t e generali ed (M 'i) sense disc ssed above. In ot er cases, 
t is preparation is ore co plicated, for e a pie adding a ole set-t eoretic 
s perstr ct re as in [2] . It is not clear et er t e notion of interpretation can 
be sef 11 stretc ed to cover s c cases as ell. 

In addition to setting p t e initial state for a co p tation, interpretati- 
ons ig t be appropriate for e tracting t e “ans er” fro t e nal state of a 
CO p tation. ore generali , one can i agine an sorts of interfaces — not 
onl inp t/o tp tb t ore general interfaces bet een co p tations or bet een 
parts of a CO p tation — as described b interpretations. 

It also see s t at interpretations a provide a good a to describe t e 
connection bet een to ’s t at “co p te t e sa e t ing in different a s.” 
e idea ere is t at certain states, t e “pose” states, in a r n of t e one ac ine 
are obtainable fro t ose of t e ot er ac ine b a nifor interpretation. 
( et een s ccessive pose states, eac ac ine a go t ro g states t at ave 
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no strict co nterpart in t e ot er ac ine, states t at depend on t e details of 
o t e ac ine does its ork.) e interpretation tells o at one ac ine 
does is to be seen fro t e perspective of t e ot er. 

inall , since interpretations are s all (in at e atical logic) regarded 
pri aril as s ntactic transfer ations rat er t an se antical ones, I s o Id 
add a fe ords abo t t e s ntactic aspect, n interpretation of a vocab lar 
T in a t eor T provides a translation of ter s and for las fro T to t e 
vocab lar of T. e translation consists of replacing eac f nction s bol F 
or predicate s bol P in t e given ter or for la it Fj or Pj and restricting 

all q anti ers to Uj. en t e translation (p^ of a sentence is tr e in a odel 

M of T if and onl if t e sentence ip itself is tr e in t e T-str ct re Mi obtained 
fro M via t e interpretation. 

inking of interpretations pri aril on t e se antic level, transfer ing o- 
dels M ot T into T-str ct res Mj, e can describe t e s ntactic transfer ation 
ip ^ as prod cing eakest preconditions. at is, e presses, in a str ct re 
M, e actl at is needed in order t at Mj satisf p. Here is a to e a pie to 
indicate at goes on in general. 

onsider t e pdate r le c := d. e corresponding interpretation as P/ = 
P and Fi = F for all predicate and f nction s bols ot er t an c, and ci = d 
(and Ui is t e identicall tr e predicate). If M is a str ct re, t en Mj for t is 

interpretation is t e sa e as M e cept t at it gives c t e val e t at d ad in 

M, i.e., it is t e seq el of M it respect to t e r le c := d. No consider a 

for la p, t e si plest relevant e a pie being P(c) for a nar predicate P. 

Its translation p^ nder o r interpretation is obtained si pi b replacing ever 
occ rrence of c b d, so in o r si pie e a pie P{cY is P(d). nd t is p^ is 
e actl at M st satisf in order to g arantee t at Mj satis es p. 

3 er t ti e s 

In t is section. I’ll describe a tec niq e for describing and anal ing t e idea 
of “not per itting arbitrar c oices,” bot in set t eor and in co p tation 
t eor . 

In 922, raenkel [ ] constr cted odels of set t eor ( it in nitel an 
rele ents, also called ato s) in ic t e a io of c oice is false. e central 
idea is t at all t e ato s in a odel of set t eor “look alike” ; ore precisel , an 

per tation of t e ato s ind ces an a to orp is of t e ole set-t eoretic 

niverse. raenkel for ed t e s b niverse of “s ffidentl s etric” sets, and 
so ed t at it satis es all t e s al a io s of set t eor e cept t e a io of 

c oice. (“ s al” is an anac ronis ere, since raenkel i self adj st recentl 

introd ced t e replace ent a io and given a precise for lation of Zer elo’s 
separation a io . 1 1 e a io s ste , kno n as Zer elo- raenkel set t eor , 

Z , is certainl t e s al one no ada s.) ore precisel , raenkel’s odel con- 
sisted of t ose sets x ic depend on onl a nite s bset P of t e ato s, in t e 

sense t at an per tation of t e ato s ing t ose in F ill, en e tended to 

an a to orp is of t e ole niverse, also x. ( bseq entl , ot er a t ors 
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st died ot er notions of “s fficientl s etric” in order to obtain independence 
res Its concerning eak for s of t e a io of c oice, b t t ese ot er notions 
ill not be relevant ere.) 

odi cation of raenkel’s idea is at t e eart of t e ain res Its of [2]. 
is paper introd ced a rat er liberal odel of c oiceless pol no ial ti e co - 
p tation. e odel is an ose initial state is obtained b b ilding a ni- 

verse of ( ereditaril ) nite sets over t e inp t str ct re regarded as consisting 
of ato s; t is akes an sorts of data str ct res available for t e co p ta- 
tion. In addition, parallelis is alio ed bot in do-for-all r les and in so e 
set-for ation constr ctions. It is s o n, o ever, t at s c apparentl si pie 
t ings as t e parit of t e n ber of ele ents in an nstr ct red set cannot be 

CO p ted in pol no ial ti e, even in t is liberal odel, as long as arbitrar 
c oices are pro ibited. e proof of t is t eore ses t e pot esis of c oice- 
lessness b ded cing t at, if t e co p tation “ ses” a set x, t en it st also 

se all sets n{x) obtainable fro a; b a to orp is s of t e set-t eoretic str c- 

t re, i.e., b per tations of t e ato s of t e inp t str ct re. e pol no ial 
ti e pot esis t en ens rest at t ere cannot be too an oft ese 7r(x)’s. e 
essential co binatorial step in t e proof is a le a alio ing s to infer fro 
“not too an 7r(x)’s” to x being ed b all per tations t at a certain 
n ber of ato s. In contrast to raenkel’s sit ation, “a certain n ber” cannot 
be taken to be si pi “ nitel an ,” as t ere are onl nitel an ato s 
altoget er in t e present sit ation. Instead, a q antitative esti ate is needed, 
ic depends on t e progra nder consideration. s, t e “in nite 

vs. nite” die oto e ploited b raenkel as been replaced b “large nite 
(gro ing as t e inp t str ct re gro s) vs. s all nite (depending onl on t e 
progra ) . 

f rt er re ne ent of raenkel’s idea occ rs in [ 4 ] , ere ela proves a 

ero-one la for properties of grap s co p table in c oiceless pol no ial ti e. 

or t e p rposes of per tation arg ents, t ere is a cr cial difference bet een 

t e nstr ct red (or t e slig tl ore general “colored”) sets considered in [2] 
and t e grap s considered in [ 4 ]: 1 ost all nite grap s ave no non-trivial 

a to orp is s. o at rst it o Id see t at s etr arg ents cannot be 

applied to co p tations taking rando nite grap s as inp ts. ela circ 
vented t is proble b orking not it a to orp is s b t it partial a to- 

orp is s of grap s. is req ired a rat er delicate develop ent, it caref 1 

attention to t e si es of t e do ains of t ese partial a to orp is s, to ens re 
t at t e be avior of a c oiceless pol no ial ti e co p tation is invariant (in a 

s itable sense) nder partial a to orp is s of t e inp t. or t e (rat er co - 

plicated) details, e refer t e reader to [ 4 ] or to an easier to read ( e ope) 
e position t at Y ri revic and I are preparing. 
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4 ’s et e r 

t a 993 eeting in agst 1, after earing several talks abo t for lating 

vario s algorit s as ’s (t en still called “evolving algebras”), I ade a 

CO ent along t e folio ing lines: 

It see s to e t at e pressing algorit s in t e for alis is rat er 
like for ali ing at e atical proofs in Z . 1 1 e beginning, one needs 

a n ber of e a pies of s c for ali ations, b t after a ile it beco es 
clear t at an “reasonable” algorit can be ritten as an , j st 
as an “reasonable” proof can be for ali ed in Z . nd after a ile, 
t ere is little point in act all carr ing o t t e for ali ations j st in 
order to verif for ali abilit (in eit er sit ation) nless and ntil a 
gen inel proble atic case arises. 

In t e case of seq ential algorit s, it see s fair to sa t at t is co ent 

as been con r ed b s bseq ent e perience. etter et, it is con r ed b t e 

ain res It of revic [ ], ic asserts t at an seq ential algorit can be 
e pressed b an provided it satis es certain ver nat ral post lates. 

I’ll CO ent later on t e sit ation it non-seq ential algorit s, b t rst 
let e point o t so e differences bet een t e roles of ’s and of Z even 
in t e seq ential case. 

e ost obvio s difference is t at ost of s ave never seen a non-trivial 

proof f 11 for ali ed in Z (nor o Id e ant to see one), b t e ave 

seen non-trivial algorit s f 11 for ali ed as ’s. ’s are, b design, 
reasonabl close to o r ental i ages of algorit s; Z is si ilarl close to 
ental i ages of onl s all parts of at e atics (pri aril set t eor , and not 

even all of t at), o rite o t t e proof of, sa , t e co tative la for real 

addition in t e pri itive lang age of set t eor o Id be a ver ti e-cons ing 
e ercise for ic I see no val e at all. 

In contrast, riting o t e plicit progra s for vario s algorit s is not 
onl feasible b t ort ile. It as, for e a pie, led to t e detection of errors or 
a big ities in speci cations of progra ing lang ages and co p ter s ste s. 

is distinction is reflected in a second difference bet een and Z 

for ali ations: t e biq it of s in t e develop ent of at e atics on 

a set-t eoretic basis. c a develop ent begins it a io s ritten in p rel 

set-t eoretic notation, b t it soon introd ces ot er concepts b de nition, and it 
is not at all n s al for a concept to be an de nitional la ers re oved fro t e 
pri itive set-t eoretic notions. ink, for e a pie of t e real n bers, de ned 
as eq ivalence classes of a c seq ences of rational n bers. e de nition 
of R sits at t e top of a rat er ig to er (or pile) of ot er de nitions. 

o et ing ro g 1 analogo s appens in ’s, in t e idea of s ccessive 

re ne ent, orking fro a ig -level description of an algorit do n to a 
speci c i pie entation. t t e analog is onl a ro g one for t o reasons. 

irst, t e to er t at connects lo -level and ig -level versions of an algorit 
consists of ’s at ever level. e to er connecting Z to, sa , t e t eor 
of partial differential eq ations, departs fro Z for ali ation (in t e strict 
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sense) as soon as one gets above t e botto level; t e ig er levels are for all ed, 
if at all, in rst-order t eories obtained (for all ) b adding de nitions as ne 
a io s. econd, t e re ne ent process is a serio s object of st d in t e 
orld, ereas in t e set-t eoretic orld t e process of de nition is s all 

s ept nder t e r g — so c so t at an logicians o Id be taken aback 

b CO ent a o ent ago t at differential eq ation t eor is for ali ed 

not in Z b t in an e tension b de nitions. e o Id probabl sa “ at’s 

t e difference?” and acc se e of splitting airs. e onl a t ors I kno of 

o ave ade a serio s st d of t e role of de nitions in set t eor are orse 

[2], o caref 11 anal es t e per issible s nta (far ore general t an at 

is s all considered), and esnie ski [ ] o act all ses de nitions in a 

non-conservative a , as an elegant for lation of e istence a io s. 

is s ggests a q estion for t eor : an one p s t e re ne ent pro- 
cess as far into t e backgro nd as set-t eorists ave p s ed de nitions (and if 

not t en o far can one p s it)? at is, can one arrange t ings so t at all 

one as to rite is a ig -level sped cation and t e seq ence of “de nitions” of 

its f notions in ter s of lo er levels? e idea o Id be t at t e corresponding 

lo -level o Id eit er be prod ced a to aticall or o Id (as in t e set- 

t eoretic sit ation) be entirel irrelevant, nd of co rse t e ig -level and 

t e de nitions toget er s o Id be signi cantl s orter t an t e lo -level 

t e describe. 

t ird difference bet een ’s and Z is t e se of ’s for detecting 
and correcting errors in int itive speci cations, progra s, etc. s far as I kno , 
for ali ation in Z as not pla ed a role in detection and correction of errors 
in at e atical proofs, rrors certainl occ r, and t e are detected and cor- 
rected. ( or partic lari e barrassing e a pies, see t e footnotes on page 
of [9] and t e introd ction of [ 6]. I e p asi e t at t e a t ors of [9] and [ 6] 

did not CO it t e errors b t convenient! s ari ed t e .) t t e detec- 

tion and correction see s to proceed q ite independent! of for ali ation. It is 
based on int itive nderstanding and is t erefore not ver s ste atic. ere are, 
of CO rse, projects to for ali e and s ste aticall c eck, b co p ter, vario s 
parts of at e atics. t t ese see to be of ore interest, at t e o ent, 

to CO p ter scientists t an to t pical at e aticians. e latter see to be 

generall q ite illing to rel on int itive nderstanding rat er t an for al 
c ecking. 

fo rt difference bet een t e role of ’s in for ali ing algorit s and 
t e role of Z in for ali ing proofs is t at in t e latter conte t t ere is (to 
t e best of kno ledge) no analog of [ ] . at is, t ere is no general criterion 
g aranteeing t at an proof, s bject to so e nat ral constraints, is for ali able 
in Z . at e aticians ot er t an set t eorists generall take on fait t at 
an t ing t e o Id consider a correct proof can be for ali ed in Z . et 

t eorists are a are of possible diffic Ities ( it ni verse-si ed sets), b t e are 

con dent t at e co Id recogni e an sc diffic It and deter ine et er 

a proposed arg ent reall goes be ond Z ( it o t act all riting o t a 

for ali ation) . 
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Having pro ised to co ent on t e sit ation for non-seq ential algorit s, 
let e sa t at t e sit ation t ere is less clear t an in t e seq ential case. ere 
is no analog of [ ] ( et), and t e orld of parallel and distrib ted algorit s 
see s c ore diffic It to s rve co pletel t an t e orld of seq ential 

algorit s. ( isting is ing bet een “parallel” and “distrib ted” in t e sense of 

[7] , it see s t at an analog of [ ] is it in reac for parallel algorit s b t not 
for distrib ted ones.) 

partic lar eadac e t at as co e p several ti es in disc ssions 
it Y ri revic is t e q estion of c lative pdates. s a si pie e a pie, 
s ppose e ant to co nt t e n ber of ele ents in so e nite niverse U (in 
an ). e nat ral a to do t is is to ave a co nter, initiali ed to ero, 
ic eac of t e relevant ele ents t en incre ents b one. e proble is 
to do t is in parallel, it o t arbitraril ing an order in ic t e vario s 
ele ents are to act. e r le 

do for all v with U{v) 
c := c + 
enddo 

onl incre ents t e co nter b one, no atter o an ele ents are in U . 

If e ave an ordering of t ese ele ents, t en e can let eac one incre ent 

t e CO nter in t rn. t it o t an ordering, a gen inel parallel version of t e 
algorit see s to req ire so et ing ne . 

e f nda ental proble , t o g , isn’t et er t is or t at sit ation calls 
for an e tension of t e fra e ork b t rat er et er t e fra e ork can be 
CO pleted at all. I a inclined to be opti istic: fe additions s o Id cover 

all parallel algorit s. t I reali e t at opti is a be t e res It of an 
overl naive pict re of t e ild orld of parallelis . 

sic re ets? 

e title of t is section is intended to refer to t e co p tational ( ) side 

of t e pict re, not t e p re at e atical (Z ) side. Of co rse, sets are basic 

in Z , b t t is is to so e e tent t e res It of an arbitrar c oice. Indeed, 

antor, t e fat er of set t eor , see s to ave regarded sets as intrinsicall 
eq ipped it an ordering, so per aps so e sort of (generali ed) lists o Id be 
ore f nda ental. 

On t e CO p tational side, too, t ere is a tendenc to vie interde nable 
concepts, like ( nite) sets and lists, as aving eq al clai to being f nda ental. 

t it is s o n in [3] t at t is tendenc is not al a s appropriate. en e 
do not alio arbitrar c oices (or, eq ivalentl , an ordering) b t do alio paral- 
lelis , and en e i pose pol no ial bo nds on t e total co p tation ti e 
of all processors, t en a set-t eoretic environ ent as in [2] is strictl stronger 
t an one sing t pies or lists instead. ( e pol no ial ti e bo nd is essential 
ere. it o t it, parallelis co Id co pensate for t e absence of an ordering 
b e ploring all orderings.) 
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is res It s ggests to e t at a set-based environ ent is ore appropriate 
for t is sort of co p tation t an t e ore fa iliar list-based environ ents. 

ere is so e tension ere it t e fact t at lists can be ore straig tfor ardl 
i pie ented t an sets. t t e sort of co p tation nder consideration, it 
no ordering alio ed, is alread intrinsicall re oved fro i pie entation, ere 
an ordering is i plicitl given b t e ac ine representation of ele ents. 

ese considerations raise a f rt er q estion concerning c oiceless pol no- 
ial ti e CO p tation: ig t so e ot er environ ent be even better t an t e 

set-based one? er aps t e considerations at t e end of t e preceding section, 
abo t c lative pdates, s ggest an ans er, na el to se Itisets and al- 
io c lative pdating of Itiplicities of e bers ip in a Itiset. In ot er 
ords, alio pdates of t e for “t ro ele ent x into Itiset y,” it t e 
convention t at, if several parallel processes e ec te t is pdate ( it t e sa e 
X and y), t en t e res It is t at t e Itiplicit of x’s e bers ip in y is 
increased b ten ber of t ese processes. 

t can one do better et? ig t t ere even be entirel ne data str ct res 
t at are partic lari sef 1 in t e c oiceless conte t? 

6 i e ti e jects 

In t is nal section, I’d like to co ent on an iss e t at co es p in an 

conte ts, t ro g o t CO p ter science and at e atics, b t is al ost al a s 

ignored beca se it’s trivial. ain point is t at, if it’s so trivial, e s o Id be 
able to give a clear e planation ver close to o r trivial! ing int ition. 

e iss e arises in t e t eor of ’s in connection it t e i porting or 

creating of ne ele ents. It doesn’t atter at t e ne ele ent is, as long as 

it’s ne . o e ref se to orr abo 1 1 e e act c oice oft e ne ele ent. (If t o 

or ore ele ents are to be i ported si Itaneo si , t en e ake s re t e ’re 

distinct, b t be ond t is avoidance of “clas es” e ref se to orr .) at e- 

atician’s i ediate reaction is t at e ork, not it a partic lar str ct re 

in ic a partic lar ele ent as been i ported, b t it an iso orp is class 

of str ct res, a different b t iso orp ic str ct re for eac c oice of i ported 

ele ent. is orks, b t it doesn’t q ite correspond to int ition; int ition is 
still dealing it one str ct re, not a ole class of t e . In so e sense, int i- 

tion deals it a “generic” e ber of t e iso orp is class, b t at e actl 
( at e aticall ) is t at? 

e sa e iss e and t e sa e at e atical sol tion occ r in connection it 
t e s nta of j st abo t an for ali ed lang age. One ses bo nd variables, 
b t one doesn’t care at partic lar variable is sed (as long as clas es are 

avoided). It as beco e c sto ar to anni ilate t e iss e b sa ing “ e ork 

od lo a-conversion,” eaning t at e pressions differing onl in t e c oice of 
bo nd variables are to be identi ed. is a o nts to t e “iso orp is class” 
vie point of t e preceding paragrap . not er approac as taken b o rbaki 
[4]. eir official s nta for logic and set t eor (and t s for all of at e atics) 
as no bo nd variables. In t eir places are occ rrences of t e s bol □. o 
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indicate ic occ rrences correspond to t e sa e variable, t ese are joined to 

eac ot er (and to t e binding operator) b lines. is see s to e to be closer 
to int ition, b t rat er nreadable. nd it applies onl to s ntactic sit ations; I 
don’t see o to adapt it to a se antic sit ation like ’s. (I nd it so e at 
reass ring t at t e ig 1 respected at e aticians of o rbaki — or at least 

so e of t e — fo nd t is iss e to be ort t inking abo t to t e e tent of 

prod cing a rat er nort odo sol tion.) 

not er approac to t is iss e, in t e s ntactic conte t of bo nd variables, 
is t e se of de r ijn indices. ese indices link a variable-binder, s c as 

a q anti er, it t e occ rrences of t e variables it binds, b specif ing t e 

difference bet een t e in q anti er dept . at is, in place of a o rbaki bo 
it a line joining it to a q anti er, one o Id ave a n ber indicating t at 
t at t e relevant q anti er is to be fo nd so and so an levels less deep in t e 
parse tree. is notation strikes e as fart er fro int ition t an o rbaki’s 
bo es b t closer t an iso orp is classes. In ter s of an readabilit , it 
see s no better t an t e bo es, b t I nderstand co p ters read it q ite ell. 
( er aps e ansj st need to be ired differentl .) I see no a to adapt t is 
approac to non-s ntactic sit ations, like tec oice of ne ele ents created in 
an 

variant of t e iso orp is class approac is s ggested b t e topos- 
t eoretic vie of generic or variable objects [ ]. In t e present conte t, t is 
a o nts to regarding t e iso orp is class not si pi as a class b t as an in- 
de ed or para etri ed fa il , t e para eters being t e individ al c oices. s, 
for instance, an t at i ports t o ele ents o Id be vie ed as a fa il 
of ’s inde ed b ordered pairs of distinct ele ents. e inde ed b 
t e pair {x,y) is t e one in ic rst x and t en y ere i ported, n elegant 
fra e ork and notation for t is approac (applied to bo nd variables) is given 
in [6]. 

e iss e of nidenti ed objects arises in an ot er conte ts. Indeed, one 

can clai t at t e e act identit of at e atical objects never atters; all one 

cares abo t is t e str ct re relating t e . or e a pie, it never atters et er 

real n bers are edekind c ts or eq ivalence classes of a c seq ences, as 

long as t e for a co plete ordered eld. e folio ing q otation fro [ , 

page 9], t o g intended to e p asi e t e topos t eorist’s vie of sets in 

contrast to t e set t eorist’s c lative ierarc , see s to acc ratel describe 
o ost at e aticians vie sets. 

n abstract set X as ele ents eac of ic as no internal str c- 
t re atsoever; X as no internal str ct re e cept for eq alit and 
ineq alit of pairs of ele ents, and as no e ternal properties save its 
cardinalit ; still an abstract set is ore re ned (less abstract) t an a 
cardinal n ber in t at it does ave ele ents ile a cardinal n ber 
does not. 

is CO es ver close to sa ing t at t e act al ele ents don’t atter as long 

as t ere are so e (and eq alit is deter ined). t I clai t at e ave no 
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entirel satisfactor se antics for dealing it t e concept of an arbitrar ob- 
ject ose act al identit doesn’t atter (b t ose distinctness fro ot er 
arbitrar objects a be i portant). 

Notice t at t e proble I a raising is a se antical one. ntacticall , e 
can andle objects ose identit doesn’t atter: j st add constant s bols 
to t e lang age to serve as na es for t e desired objects. is process is ell 
nderstood in t e conte t of rst-order logic (see for e a pie [ , apter 4]; it 

pla s a cr cial role in t e proof of odel’s co pleteness t eore ). t passing 

fro s nta to se antics req ires c oosing ele ents to serve as t e denotati- 
ons of t e ne constant s bols, and t at brings s rig t back to t e original 

proble : e need to c oose an ele ent b t it o t caring ic ele ent it is. 

inall , let e ention t at t is proble t reatens to beco e ore ac te if 

one considers q ant co p tation or indeed an q ant p eno ena. In t e 
q ant orld, act al p sical objects, like ele entar particles, ave identities 
in onl a ver li ited sense. It akes sense to talk abo t an electron and anot er 
electron, b t not to talk abo t t is electron and t at one — interc anging t e 
t o electrons in so e p sical process ields not anot er process b t anot er 
c annel for t e sa e process, and toe annels a interfere (constr ctivel or 
destr ctivel ). 



ppe i e ts ir e t 

In t is appendi , e collect so e observations and q estions abo t ’s ose 
connection to p re at e atics is even ore ten o s t an in t e last section. 
Indeed, ost of t e are based on a contrast rat er t an a connection bet een 
t e CO p tational and at e atical orlds. 

ajor difference bet een t e vie points of ’s (toget er it ost of 
CO p ter science) and p re at e atics is t at in t e for er a d na ic aspect 
is al as present, n doesn’t j st sit t ere, it ndergoes transitions — 

as t e old na e “evolving algebra” e p asi es. Of co rse, p re at e atics 
is also capable of dealing it d na ic sit ations, b t t is is al a s e plicitl 
e p asi ed, not part of a niversal backgro nd as in ’s. 

ere is ore to t e d na ic aspect of ’s t an j st t at t eir d na ic 
f actions can c ange t eir val es. It is also i portant t at d na ic f actions 
retain t eir previo s val es nless e plicitl c anged. Ironicall , t is apparentl 
si pie defa It ass ption, favoring persistence of val es, can increase t e logical 
CO pie it of at an does, or e a pie, t e action of a parallel r le 

do for all v 
R(v) 
enddo 

CO Id be described in e istential logic (or in t e e istential ed point logic 
advocated in [ ]) provided its bod R{v) co Id be so described. e parallel r le 
e ec tes an pdate if and onl if s s a val e of w for ic R(v) e ec tes 

t at pdate. t t e ne t state cannot be described e istentiall , beca se t e 
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of t e r le, t e persistence of d na ic f notions en not pdated, 
req ires a niversal q anti er for its description. 

e fact t at parallel ’s can be li ited to q anti er-free g ards, sing do 

for all to si late q anti ers, is Iti atel d e to t e presence of an i plicit 

niversal q anti er in t e defa It req ire ent t at val es persist nless e pli- 
citl c anged. (In t e last t o paragrap s, I’ve pretended for si plicit t at t e 
’s nder consideration never atte pt conflicting pdates. e possibilit 
of clas es o Id introd ce additional niversal q anti ers, beca se an pdate is 
e ec ted if so e R{v) o Id e ec te it (ignoring clas es) and w 

and w for ic R{w ) and R{w ) o Id e ec te conflicting pdates.) 

not er sort of defa It adds co pie it not in t e logic b t in t e co p ta- 

tional aspects of ’s. is defa It is t e ass ption t at, en ne ele ents 

are created (or i ported fro t e reserve), t e arrive it no str ct re: 11 

oolean f notions, e cept eq alit , prod ce false en one of t eir arg ents 
is a fres 1 created ele ent; all non- oolean f notions prod ce undef nder 
t ese circ stances. s, for e a pie, if P is a binar oolean f notion and 

X is a ne 1 created ele ent, t en P{x,y) irac lo si as t e val e false for 

all y. If e ask o it got t at val e, t ere are several possible vie points. One 
is t at creating an ele ent reall eans i porting it fro t e reserve, and t at 
t e appropriate defa It val es ere alread t ere ile x as in t e reserve — 
so t e defa It val e of P{x,y) for ne 1 i ported x is j st a atter of t e per- 
sistence defa It disc ssed above. t of co rse t is vie point req ires t at t e 
initial state of a co p tation incl de t e appropriate defa It val es for reserve 
ele ents, an ass ption t at is appropriate onl at a s fiicientl ig level of 
abstraction, t a lo er level, one o Id ave to ask o t is initiali ation is to 
be perfor ed. not er vie point is t at t e defa Its are (at least i plicitl ) set 
b t e at t e ti e t e ne ele ent is created. is a o nts to a fairl 

large scale parallel operation, not available in t e seq ential sit ation; it a be 

t e approac closest to at appens in act al co p ters en ne e or 

locations are allocated to a co p tation. t ird vie point is t at t e setting of 

t e defa Its is, like tec oice of ic ele ent to i port, t e responsibilit of 

t e environ ent. is see s to be t e si plest approac , b t it strikes e as a 

bit nfair to t e environ ent. aking t e environ ent c oose t e ne ele ent 

is reasonable, beca se t is cannot be acco plis ed algorit icall ( nless an 
ordering or so e si ilar str ct re is available); b t setting t e defa Its co Id 

be done algorit icall (in t e case of parallel ’s) so t e j sti cation for 

t rning t e job over to t e environ ent see s to be onl t at it’s ore ork 

t an t e ants to do. 

et e close it a brief co ent, related to t e preceding onl beca se it’s 
abo tt e environ ent. e environ ent of an is sed to odelavariet of 
t ings: t ec oice of ele ents to i port (or create), t e arbitrar c oices involved 
in non-deter inis , inp t-o tp t operations, and, in distrib ted co p ting, 
all t e agents ot er t an t e one nder consideration. Ho si ilar are t ese, 
reall ? ere is of co rse one si ilarit , ic ca sed t e to all be called 

“environ ent” in t e rst place: e are not part of t e algorit ( ) 
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nder consideration, b t t e interact it it. Is t ere f rt er si ilarit a ong 

so e (or all) of t ese aspects of t e environ ent? re t ere s distinctions 

to be ade? (“ sef 1” eans, at a ini , ore sef It an j st listing t e 
vario s ite s as I did above.) 

One rat er i precise b t per aps sef 1 distinction is obtained b singling 
o t t ose aspects of t e environ ent’s activit t at one o Id e pect to be 

incl ded in a s ste for e ec ting progra s. c a s ste s o Id not be 

e pected to provide inp t or to perfor t e actions of distrib ted agents ot er 
t an t e one being si lated. t it co Id reasonabl be e pected to e ec te 

import r les on its o n, or at ost it t e elp of t e operating s ste nder 
ic it r ns. 

e ere ces 
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str t. stract stat achi s ( s) for a r lati 1 co - 

putatio od 1 holdi g th pro is that th ca si ulat a co pu- 
tatio al s st i lockst p. I particular, a i sta c of th od 1 

has r c tl i troduc d for co puti g qu ri s to r latio al data a- 

s s. his od 1, to hich r f r as th od 1, pro id s a po rful 

qu r la guag i hich all co puta 1 qu ri s ca pr ss d. I this 

pap r, sho that h o is o 1 i t r st d i pol o ial-ti co - 

putatio s, is strictl or po rful tha oth & d hil , t o 
11-k o CO putatio all co pi t qu r la guag s. th sho 

that h a la guag such as hil is t d d ith a duplicat li- 

i atio cha is , pol o ial-ti si ulatio s t th la guag 
ad CO possi 1 . 

r c i 

stract state achi es ( s) ere i trod ced as a e co p tatio odel, 
acco pa ied the “ thesis” stati g that a algorith , or ore ro- 
adl , a CO p tatio al s ste , at a le el of a stractio , ca e si lated i 
lockstep a [7, 3, 4, 5]. ece tl , lass, re ich, a d helah ( ) 

i trod ced a i sta ce of the odel for e press! g q eries to relatio al 

data ases [ ]. 

0 ghl , a progra is a co pie r le, cha gi g the al es of certai 
d a ic f ctio s at ario s arg e ts d ri g the r of the progra . les are 

ilt p fro ele e tar pdates co ditio als a d parallel co positio . he 
progra is iterated til a halti g co ditio is reached. po erf Is la g age 
of ter s pro ides set-theoretic operatic so ar itraril ested sets o er the 
i p t data ele e ts. ce “acti ated,” these sets are i corporated i the r 
of the progra , a d ca eco e arg e ts a d al es of d a ic f ctio s. 

hile a co p ta le q er ca e e pressed i , the act al oti atio 

of to i trod ce their odel as to st d the co pie it class de oted 

1 , correspo di g to progra s der a pol o ial ti e restrictio . 

ur c a . ( ds.): , , pp. - , 

(c) pr g r- r ag r d rg 
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0 p tatio all co plete q er la g ages ha e ee k o _ i data ase 
theor for so e ears o [ ], a d co pie it classes si ilar to I , de- 

oted -lad - , ere i trod ced ite o 1 a d 

ia [6] . hese classes ca e defi ed i ter s of the la g age hi . his 
la g age is the e te sio of first-order logic ith the folio i g feat res: ( ) as- 
sig e t to relatio aria les; (2) seq e tial co positio ; (3) hile-loops; a d 
(4) the i trod ctio of e data ele e ts i ter s of t pies of e isti g o es. 11 
CO p ta le q eries ca e e pressed i hi .he co pie it classes 

ad - I are o tai ed p tti g pol o ial space a d ti e 
restrictio so hi progra s. ite o 1 a d ia ill strated the effect of 
s ch restrictio s sho i g that der a pol o ial space restrictio , hi 
progra s ca o lo ger check the parit of the cardi alit of a set. 

he ad e t of the odel th s raises the at ral q estio : ho does 

1 CO pare to - I ? e ill sho that I is strictl 

stro ger tha - , i the se se that there are classes of str ct res 

that ca e separated i I t ot i - (a d he ce either 

i - I ) . e also ide tif the reaso for this i eq alit : hi o 1 

has t - s i ti e data ele e ts ca o 1 e i trod ced i ter s of 
t pies of e isti g o es. repeated applicatio of t pie- ased i e tio o e ca 
CO str ct ar itrar lists. , o the other ha d, alio i g the co str ctio of 

ar itrar sets, also has a for of s t- s i ti .1 the a se ce of a order 
o the data ele e ts, it is i possi le to si late sets ( hich are ordered) 

si g lists ( hich are ordered) itho t i trod ci g a lot of d plicatio . 

r res It sho Id e correctl co pared to hat is k o fro the theor of 

o ject-creati g q er la g ages. It is ahead k o [ ] that set- ased i e tio 

ca ot e e pressed i hi . Ho e er, this is a state e t a o t o ject- 
creati g q eries here i e tio is ot erel a tool to gi e ore po er to 

q er la g ages, t here e reall a t to see the e data ele e ts i the 

res It of the q er . he o 1 co sideri g sta dard do ai -preser i g, or e e 
j st oolea q eries, set- ased i e tio see ed less rele a t eca se for s ch 

q eries hi is ahead co plete. r res Its sho that set- ased i e tio 
is still rele at, t e ha e to take co pie it i to acco t to see it. 

he hi is e te ded ith set- ased i e tio , e sho that the la - 
g age o tai ed, de oted hi * , eco es pol o ial-ti e eq i ale t ith 

(i a se se that ill e ade precise). r ork is th s related to the 

pdate la g age det for relatio al data ases, i trod ced ite o 1 a d 

ia [3,5]. o e of the spirit of the odel (of hich is a i sta ce) 

is clearl prese t i det , a d the eq i ale ce et ee det ad hi 



it oul a d ia u us d th a hil * i th ir pap r [6], ut us th a 
hil i th ir ook ith ull [ ], so us th latt r a 
progra s r t s t o class s K a, d K if it outputs ‘fals ’ o all structur s i 
K a d ‘tru ’ o all structur si K . 
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see s to go itho t sa i g. e to o r res It are the progra i g ith sets 

a d the added foe s o pol o ial ti e. 

e CO cl de this i trod ctio e tio i g so e other related ork. he 

er first co p tatio all co plete q er la g age as , i trod ced 
ha dra a d Harel [9]. eca se ca e si lated i hi ith o 1 

a pol o ial ti e o erhead [6, 9], o r egati e res It co cer i g hi ap- 
plies as ell to . e also sho Id ote that the ell-k o o ject-creati g 

q er la g age I , i trod ced ite o 1 a d Ka ellakis [2], as set i a 

CO pie -o ject data odel ith set al es, here the disti ctio et ee t pies 

a d sets is 1 rred as o e ca al a s ha e a t pie ith a set as a co po e 1. 1 - 

deed, I is pol o ial-ti e eq i ale t to hi * [ 9] a d th s also to 

i all , e poi tot that i terest i o ject creatio i q er la g ages has re- 

ce tl res rged i the co te t of e data ases [ 2]. rre t proposals i this 

field i trod ce e data ele e ts co str cti g ter s, a d th s esse tiall 
e plo t pie- ased i e tio . 



r i i ri s 

relatio al data ase sche e is odeled a fi ite relatio al oca lar , i 

the se se of athe atical logic [ ], i.e., a fi ite set of relatio a es ith 

associated arities. relatio al data ase o er a sche e T is odeled a fi ite 

str ct re B o er T, i.e., a fi ite do ai Da d, for each relatio a e R T, 

a relatio R D , here r is the arit of R. he reader is ass ed to e 
fa iliar ith the s ta of first-order logic for las o er T, a d the otio of 
tr th of a for la i a str ct re B. 

e e t riefl descri e the la g ages hi , hi ‘ , a d . or f 11 
details e refer to the literat re [ , , 9]. 

. u 

st t t is a e pressio of the for 

X := {x ,x ) if} 

here X is a j-ar relatio a e, a d if{x , . . . ,x ) is a first-order for la. 
t - st t t is a e pressio of the for 

Y := tup- {x . ,x ) f} 

here Y is a relatio a e of arit j + , a d is as efore. 

r gr si the la g age hi are o defi ed as folio s: state e ts 

a d t pie- e state e ts are progra s; if 7T a d 77 are progra s, the so is 

o it ss, i th ir ook ith ull [ ], it oul ad ia u r f r to th ir pap r o 
d t [5] as th origi al sourc for th la guag hil , although o la guag i 
th st 1 of hil is discuss d i that pap r. 
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their co positio II ; 77 ; a d if 77 is a progra a d is a first-order se te ce, 

the the hile-loop i n is a progra . 

et 77 e a progra , let T e the oca lar co sisti g of all the relatio 

a es e tio ed i 77, a d let e a fi ite T-str ct re. he r s t f i g 
n t A de oted n{A), is the T-str ct re defi ed as folio s: 

— If 77 is the state e t 77 := {x ,x ) (^}, the II (A) eq als A 

e cept for the i terpretatio of X, hich is replaced 

(o ,o ) A A=(p{a ,a)}. ( ) 

— If 77 is the t pie- e state e t F := tup- {x ,x) (f}, the 

n{A) eq als A i the i terpretatio of e er relatio a e other tha Y. 

he do ai of II (A) is that of A, e te ded ith as a e ele e ts as 
there are t pies i the a o e set ( ). et t e a ar itrar ijectio et ee 

the set ( ) a d these e ele e ts. he the i terpretatio of F i II (A) is 

defi ed as 

(a,t(d)) A=(p{a)}. 

— If 77 is of the for 77 ; 77 the II{A) eq als 77 (77 (^)). 

— If 77 is of the for i ip Jj , the II {A) eq als 77 (A), here n is 

the s allest at ral er s ch that 77 (A) = (^. If s ch a er does 

ot e ist, the 77(71) is defi ed (the hile-loop does ot ter i ate). 

the se a tics of t pie- e state e ts (seco d ite ), 77(71) is clearl 
defi ed p to ^-iso orphis o 1 (iso orphis s that lea e A poi t ise fi ed). 

his is K, eca se the partic lar choice of the e 1 i e ted do ai ele e ts 
reall does ot atter to s. he doi g a co pie it a al sis, e ill ass e 

that the do ai of ^ is a i itial seg e t of the at ral ers, a d that a 

t pie- e state e t si pi e te ds this i itial seg e t. 

he T is a s set of T, a d 7l is a T -str ct re, e ca ie A also as a 

T-str ct re setti g A{X) e pt for e er relatio a e 77 i T ot i T . I 

this a e ca also talk a o t II (A), his co e tio for ali es the i t itio 

of i itiali i g relatio a es ot part of the oca lar of the i p t str ct re 

to the e pt set. hese relatio a es are sed the progra as aria les to 

do its CO p tatio a d to co tai its fi al o tp t. 

. u 

he s la g age o tai ed fro hi disallo i g t pie- e state e ts 

is called hi ad has ee e te si el st died [ , ]. I fi ite odel theor , 

the la g age hi is etter k o der the eq i ale t for of first-order logic 

e te ded ith the partial fi poi t operator [4]. 



s t- st t t is a e pressio of the for 



Y := s t- 



{x,y) (fj 
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here Y is a i ar relatio a e, a d Lp{x, y) is a first-order for la. 

he res It II{A) of appl i g this set- e state e t 7T to a str ct re A, 
eq als A i the i terpretatio s of e er relatio a e other tha Y. I order 
to defi e the do ai of n{A) a d its i terpretatio of Y, co sider the i ar 
relatio 

S= (a,b) A A = (fi{a,b)}. 

e ca ie this relatio as a set- al ed f ctio i the ca o ical a : for a 
a i the first col of S, S{a) := b (a,b) o the do ai of II (A) 

is that of A, e te ded ith as a e ele e ts as there are ijf r t sets i 

the ra ge of S', et i e a ar itrar ijectio et ee the ra ge of S a d these 

e ele e ts. he the i terpretatio of Y i 77(A) is defi ed as 

(a, i(S(a))) b\S{a,b)'\. 

or e a pie, the res It of appl i g 

Y:=st- {x,y) E{x,y)} 
to the str ct re ith do ai ,2,3} here if eq als 

( , ),( ,2), (2, ),(2,2),(3, ), (3, 2), (3, 3)1, 
is the str ct re ith do ai ,2,3,4, 5} here Y eq als 

( ,4), (2,4), (3,5)}. 

addi g set- e state e ts to the la g age hi , e o tai the la - 
g age hi * . 

.4 



takes a f ctio al poi t of ie : co p ti g ea s pdati g the al es of 

certai ser-defi ed, a ed, “d a ic” f ctio s at ario s arg e ts. rg - 

e ts a d al es ca e ele e ts of the do ai D of the i p t str ct re, as 

ell as hereditaril fi ite sets ilt o er 77 d ri g the e ec tio of the progra . 

or all , the set H (77) of h r it ri it s ts r D is the s allest set 
s ch that if a; ,x are i 77 H (77), the a; , . . . , a; } is i H (77). er 

d a ic f ctio a e has a associated arit r, a d th s has, at a stage 

of the CO p tatio , a i terpretatio ( hich ca e pdated i later stages) as 
a f ctio fro (77 H (77)) to 77 H (77). he t t of s ch a f ctio / 

is the set (x,f{x)) a; (77 H (77)) a d f{x) = }. t a stage of the 

CO p tatio , the e te t of the i terpretatio of a d a ic f ctio ill e 
fi ite. 

er of st ti f ctio s, hich ca ot e pdated, are predefi ed: he 

relatio s of the i p t str ct re are gi e as oolea f ctio s. he s al logical 

I t r i olog this corr spo ds to groupi g th hrst colu 
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CO sta ts a d f ctio s (tr e, false, a d, or, ot, eq alit ) are pro ided. i all , 

so e set-theoretic co sta ts a d f ctio s are pro ided: the e pt set; the i p t 
do ai ; set e ership; set io ; si gleto e tractio , a d pairi g. he i p t 
do ai is called ‘ to s’. io is ar , orki go a set of sets. 

r s ca o e ilt p fro aria les, co sta ts, f ctio s, a d the set 

CO str ctor t : v r \ g}, here f is a aria le that does ot occ r free i ter 

r t ca occ r free i ter tad oolea ter g. aria le v eco es o d 

the set CO str ctor. he se a tics is the o io s o e of t : w r a, d g}. 

i all , r s e press tra sitio s et ee states pdati g the d a ic 

f ctio s. t r t r s are of the for f{t , . . . ,t ) := t , here / 

is a d a ic f ctio a e (of arit j) a d t t are ter s. he se a tics 

is o io s. ro ele e tar pdate r les ore co pie r les ca e ilt 

CO ditio als a d parallel co positio . ore specificall : 

— If (/ is a oolea ter a d i? a d i? are r les, the so is if g t R s 
R if, agai ith the o io s se a tics. 

— If V is a aria le, r is a ter i hich v does ot occ r free, a d i? is a r le 

i hich V ca occ r free, the fr v r R isarlei hich 

V eco es o d. he se a tics is to perfor R i parallel for all v r, 

e cept if this ields co flicti g pdates i hich case e do othi g. 

r gr o is si pi a r le itho t free aria les. progra II is 

started i the i itial state, here all d a ic f ctio s ha e the e pt e te t, 

a d all static f ctio s are i itiali ed the i p t str ct re /. I a r of the 
progra , s ccessi e states are co p ted, til the d a ic oolea co sta t 
‘Halt’ ( hich is prese t i all progra s) eco es tr e. he fi al state is the 
the res It II{I). s ith hi progra s, a progra a ot ter i ate 

0 so e i p ts. 

p s 

e a pie of a hi progra is sho i ig re , a d a e a pie of a 

progra is sho i ig re 2. oth e a pie progra s ork o directed 

graphs, odeled as str ct res hose do ai is the set of odes a d hich ha e 
a i ar relatio E holdi g the edges, oth progra s co p te, for all pairs 
of odes (x,y), all shortest paths fro x to y. he do ot folio e actl the 
sa e algorith ; the hi progra does a si gle-so rce si gle-target search 

1 parallel for all so rce-target pairs (a;, y), hile the progra does a si gle- 

so rce all-targets search i parallel for all so rces x. 

I the hi progra , a path x . . .x is represe ted i e ted al es 
p , . . . , p s ch that the folio i g relatio s, deli ed the progra , hold: 
th{x ,x ,p ) for i = , ,n; f{p,x) for i = , ... ,n; a d hi {p ,p ) 

for i = , . . . , n — . he relatio s r ti r a d X sed i the progra are 

a iliar aria les. 



s usual, CO sta ts ar i d as ro-ar fu ctio s. 
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th-.= t p {{x,y) \ x = y}\ 
f:={{p,x)\3y th{x,y,p)}\ 

r ti r := {{x,y,p, z) \ th{x,y,p) A E{x, z) A z x}-, 
r ti r 

X:=t p {{x,y,p,z)\ r ti r{x,y,p,z)}\ 

th := {{x,y,q) \ th{x,y,q) V 3p3z X{x,y,p, z, q)}; 
f ■= {(?>*) I V 3x3y3pX{x,y,p,z,q)}-, 

hil ■-{{p,q)\ hil {p,q)V 3x3y3zX{x,y,p,z,q)}-, 
r ti r := {{x,y,q,z') \ 3p3z{X{x,y,p,z,q)Az^yAE[z,z'))} 

th:={{x,y,p)\3p'{ th{x,y,p') A f{p',y))}. 



i . . hi progra co p ti g all-pairs shortest paths. 



= t 



r a; e to s 
ch (x) := {*}, 
ths{x, x) := {{*}}, 
r ti r{x) := {x} 



= t 

r ® e to s 

I _ r ti r{x) := r ti r{x), 
r ti r{x) ~ {y ’■ y € to s : y ^ ch (x) 

a d {z : z € r ti r{x) : E{z,y)} / 0} 

:= 2 

•) 

= 2t 

r ® e to s 

r y £ r ti r{x) 
ths{x,y) := {{p,y) : 

p £ lj{ ths{x,z) : z £ I _ r ti r(x) : E(z,y)} : tru } 
ch (x) := ch (x) U r ti r{x) 
alt := U{ r ti r(x) : x £ to s ; tru } = 0, 



progra co p ti g all-pairs shortest paths. 
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I the progra , a path x . . .x is repress ted a pair (x . . .x _ , 
X ), here the a; ...x- is agai repress ted a pair, rec rsi el he ase 
case n= is repress ted a si gleto x }. he progra pdates ad a ic 
i ar f ctio ths s ch that ths{x, y) eq als the set of shortest paths fro 
X to y. ther d a ic f ctio s a d co sta ts sed the progra to aid the 
CO p tatio are , h , r ti r, a, d _ r tz r. he co a et- 
ee r les de otes parallel co positio , a d is a shortha d for a tri ial f orall 
do CO str ct. he at ral ers , , a d 2 assig ed to are i H (D) 

their defi itio as o e a erals: is the e pt set, a d n > is 

, ,n — }, rec rsi el [6]. he ers a d also pla the role of the 

oolea s false a d tr e. 

r i i 

I this sectio , e defi e hat it ea s for t o classes of str ct res o er the 

sa e oca lar to e separa le i pol o ial ti e progra s, or 

hi progra s. e the pro e that there e ists a pair that is separa le i 
pol o ial ti e a progra , t ot a hi progra . 

ri g the r of a progra o a str ct re ith do ai D, a certai 

er of sets i H {D) are ti t ea i g that at so e poi t the appear 

i the e te t of so e d a ic f ctio . le e ts of acti e sets are also co - 
sidered to e acti e, a d this holds rec rsi el . i ilarl , d ri g the r of a 

hi progra o a str ct re, a certai er of e ele e ts are i e - 

ted. cti ated sets a d i e ted ele e ts ield eas res of space sage 

ad hi progra s, hich are q ite ro gh, t s fficie t for o r p rposes. 

q all ro gh eas res of ti e spe t a d hi progra s ca e 

defi ed as folio s: the ti e spe t a progra o a str ct re is the 

er of ti es the progra is iterated til the halti g co ditio is reached; the 
ti e spe t a hi progra o a str ct re is the er of ti es a 
or t pie- e state e t is e ec ted d ri g the r of the progra . 

I the folio i g t o paragraphs fi t o disjoi t classes K a d K of str c- 

t res o er a CO o oca lar . 

et iT e a progra si g a oolea d a ic co sta t tp t for 

o tp t. e sa that Us r t s K fr K if for a str ct re ^ K K , 

the al e of tp t i n{A) is false if A it! , is tr e if ^ K . e sa 

that n s r t s K fr K i i ti if oreo er, there e ist t o 

pol o ials p{n) a d q{n) s ch that for a A K K , U r s o ^ for at 
ost p{n) ti e, a d acti ates at ost q{n) sets, here n is the cardi alit of 
the do ai of A. 

i ilarl , let 7T e a hi progra ha i g so e relatio aria le t t. 

e sa that Us r t s K fr K ii U{A) is defi ed for a str ct re A 
K K , a d relatio t t i n{A) is e pt if A if , a d is ot e pt if 

A K . e sa that Us r t s K fr K i i ti if oreo er, 

call that ord r d pairs {x,y) ar d fi itio i (D), as {{x}, {x,y}} [ 6]. 
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there e 1st t o pol o ials p{n) a d q{n) s ch that for a A K K , II 
r so ^ for at ost p{n) ti e, a d i e ts at ost q{n) ele e ts, here n is 
the cardi alit of the do ai of A. 

i ce e do ot care hat the progra s do o str ct res o tside K a, d K , 

the a o e otio of separatio is q ite li eral. till, e ill e a le to o tai a 

egati e res It regard! g the separati g po er of hi i pol o ial ti e. 
Iso, i o r defi itio , it is i porta t to pol o iall restrict the space sed as 
ell as the ti e, eca se i or hi it is possi le to se a e po e tial 

a o t of space e e i a o 1 li ear a o t of ti e. 

e ca pro e (proof o itted) : 

r .hr ist irs f ss s f str t r s th t s r t i 

i ti r gr t t hi r gr . 

o sider the oca lar co sisti g of a si gle relatio a e P, hich is 

ar . or a at ral er n, defi e a str ct re / o er this oca lar as 
folio s. he do ai of / co sists of 2 ele e ts. actl n of these satisf 

the predicate P. he pair o for hich e are goi g to pro e the theore 
as ahead co sidered lass, re ich a d helah [ ] a d is the folio i g: 

K = I nee},adK= I n odd}, e ca easil separate K fro 

K a progra i pol o ial ti e: the progra ge erates all s sets of 
P ith e e cardi alit ( hich is i pol o ial ti e eca se the cardi alit of 

the i p t do ai is 2 ), a d the checks hether P itself as ge erated. 

e ca act all sho that K ca ot e separated fro K a hi 
progra that ca i e t o 1 a pol o ial er of ele e ts; the ti e spe t 

the progra ill e irrele a t. 

eca se of the eq i ale ce et ee hi ad the ge eric achi e odel 

of ite o 1 a d ia [6] , heore i plies that ge eric achi es are strictl 

eaker tha i the co te t of pol o ial ti e co p tatio . his res It 

corrects a te tati e clai (‘the si latio i the re erse directio ca , it see s, 

e carried o t si g the “for a d after” co sideratio s i ectio 9’) ear 

the e d of ectio of the paper [ ]. he for ad after co sideratio s 
e tio ed there i ol e t pies rather tha sets as “ after” a d therefore r 
i to the sa e d plicatio pro le as hi 

4 i i q i c * 

I this sectio , e for all defi e otio s of pol o ial-ti e si latio of 
progra s hi *' progra s, a d ice ersa, a d sho that s ch si latio s 
e ist. 

4. i u ti * i 

o si late hi * i , e eed so e a to represe t ele e ts that are 
i e ted a hi * progra hereditaril fi ite sets that ca e co str c- 

ted a progra . or ele e ts i e ted a tup- state e t, e 
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alread did this i the pre io s sectio , here e descri ed a list-co str ctio 
se a tics for tup- J o it re ai s to descri e a set-co str ctio se a tics 
for s t- 

o this e d, recall the se a tics of a set- e state e t F := s t- S 

0 a str ct re A ( here S' is a i ar relatio o A defi ed so e first- 

order for la), hich assig s to relatio a e F the relatio (o, t(v3(a))) b : 
S(a, 6)} for so e ijectio t fro the ra ge of S ( ie ed as a set- al ed f ctio ) 

to e ele e ts. eh this ijectio t ifor 1 as folio s. ss e it is the 

mth ti e e are perfor i g a t pie- e or set- e state e t i the e ec tio 
of the progra . he t(S(a)) is defi ed to e the pair 

(S(a),A ), 

here A is as defi ed i the pre io s sectio . 

e o sa that a progra II si t s & hi * progra 77 if for 
e er i p t str ct re 7, if 77(7) is defi ed the so is 77 (7), a d for e er relatio 
aria le X of 77, sa of arit r, there is a r-ar oolea d a ic f ctio X of 

77 , s ch that the t pies i X i II (I) are e actl the t pies at hich X is tr e 

1 77 (7). oreo er, e sa that the si latio is i r-st i -s if 

there e ists a co sta t c a d a pol o ial p s ch that for e er i p t str ct re 

7 here 77(7) is defi ed, the folio i g holds, et the ti e for hich 77 r so 

7 e t, a d let the er of i e ted ele e ts d ri g the r e s. he 77 

r so 7 for at ost ct ti e, acti ati g at ost p{n + s) sets, here n is the 

cardi alit of the do ai of 7. 

Here, i close a alog to hat e defi ed for hi progra s at the egi - 

i g of ectio 3, e defi e the ti e spe t a, hi * progra o a str ct re 

as the er of ti es a , t pie- e , or set- e state e t is e ec ted 

d ri g the r of the progra . 

ote that, hile e alio a pol o ial o erhead i space sage, e alio 

o 1 a li ear o erhead i the r i g ti e of the si latio . eaker otio 

of pol o ial ti e si latio co Id e defi ed, alio i g a pol o ial o erhead 

also for r i g ti e, t e ill ot eed to co sider this eaker otio as e 

ill e a le to o tai positi e res Its for o r stro ger otio . 

e ca sho (proof o itted) : 

r . r hi * r gr i r-st i -s si- 

t r gr . 

4. i u ti i * 

o si late i hi * , e eed so e a to represe t hereditaril fi ite 
sets i e ted ele e ts. o this e d, e o ser e that for a fi ite do ai 

D, the str ct re (77 H (77), ) is a (i fi ite) directed ac die graph, t a 

stage i the r of a progra o a str ct re ith do ai 77, the acti e 



ists ar sp cial ki ds of s ts: a list of 1 gth n is a appi g fro { , . . . , n} to th 
s t of rs of th list, a d a appi g is a s t of ord r d pairs. 
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sets, together ith the ele e ts of D, ge erate ah ite s graph of this graph. 

he si lati g hi * progra ill ai tai a cop of that s graph, here 

the acti e sets are represe ted i e ted ele e ts, a d the ele e ts of D 

are represe ted the sel es. he e ership relatio ill e stored i a 
relatio aria le si 

e o sa that a hi progra U si t s a, progra II if 
for e er i p t str ct re I, if II{I) is defi ed the so is 77 (/), a d for e er 
d a ic f ctio a e / of 77, sa of arit r, there is a (r + )-ar relatio 

aria le / of 77 , s ch that / i 77 (7) eq als e actl the e te t of / i 77(7), 

der a represe tatio of the acti e hereditaril fi ite sets i e ted ele e ts 

as gi e i relatio si i 77 (7). oreo er, e sa that the si latio is 
i r-st i -s if there e ist a co sta t c a d a pol o ial p s ch 

that for e er i p t str ct re 7 here 77(7) is defi ed, the folio i g holds, et 
the ti e for hich 77 r so 7 e 7, a d let the er of sets acti ated d ri g 

the r e s. he 77 r s o 7 for at ost ct ti e, i e ti g at ost p{s) 

ele e ts. 

e ca sho (proof o itted): 



r 

hi 


3. r 

t 

r gr 


r gr i r-st 


i -s si t 


c 


t. 


ha ks go to arc piel a 


for proofread! g a earlier 



draft of this paper. 



r c s 

it oul, . ull, a d . ia u. ti s f t s s. ddiso - si , 

995. 

2. . it oul ad., a llakis. O j ct id tit as a qu r la guag pri iti . 

r I fth , 45(5) :79 - 42, 99 . 

3. . it oul ad . ia u. roc dural add clarati data as updat la guag s. 

I r c i gs th si ri ci I s f t s st s, pag s 24 - 

25 , 9 . 

4. . it oul ad . ia u. i poi t t sio s of first-ord r logic a d atalog- 

lik la guag s. I r c i gs rth I si gic i t r 

ci c , pag s 7 -79. I o put r oci t r ss, 9 9. 

5. . it oul ad . ia u. roc dural la guag s for data as qu ri s a d updat s. 

r I f t r st ci c s, 4 (2); -229, 99 . 

6. . it oul ad . ia u. ric co putatio a d its co pi it . I r c i gs 

r si th h r f ti g, pag s 2 9-2 9, 99 . 

h r ad r ill ha otic d that, hil h r r quir that 77' i ts at ost 
p{s) 1 ts, i th otio of pol o ial-spac si ulatio of hil ' progra s 

progra s as d h d i th pr ious su s ctio , alio d th si ulati g 

progra to acti at p{n + s)s ts. h r aso for this is that, if a hil ' 
progra 77 do s ot i ta 1 ts (i. ., s = ), a si ulati g progra 

still ds to acti at so s ts just to aluat th hrst-ord r for ulas us d i 77. 




stract tat achi sad o putatio all o pi t u r a guag s 



33 



7. stract stat achi s pag s. ( . cs.u ich. du/gas ). 

lass, Y. ur ich, a d . h lah. hoic 1 ss pol o ial ti . Is f r 
li gic. o app ar; also a aila 1 fro [7]. 

9. . ha dra ad . ar 1. o puta 1 qu ri s for r latio al data as s. r I 

f t r st ci c s, 2 (2): 56- 7,9 . 

. i ghaus a d . lu . i it I h r . pri g r, 995. 

. i ghaus, . lu , a d . ho as. th tic I gic. d rgraduat 
ts i ath atics. pri g r- rlag, 9 4. 

2. . r a d , . lor scu, . a g, . , a d . uciu. atchi g th oat 



ith trud 1: p ri c s ith a -sit a ag t s st . / c r , 

27(2):4 4-425, 99 . roc di gs I O I t r atio al o f r c o 



a 


ag 


t of ata. 










3. Y. 


ur 


ich. 


ol i g alg ras: 


att 


pt to disco r s a tics. 


ll ti f th 


r 




ss 


ci ti f r h r tic 


1 


t r 


ci c , 43:264-2 4, 


99 . 


4. Y. 


ur 


ich. 


ol i g alg ra 993: 


ipari guid . 


I . org r, ditor, 


cific ti 




li 


ti 


th s, pag s 9-36 


. 0 


ford i 


rsit r ss, 995. 




5. Y. 


ur 


ich. 


a 997 draft of th 




guid . 


ch ical port 


- -336-97, 



i rsit of ichiga , part t, 997. 

6. . al os. i t h r . a. ostra d i hold, 96 . 

7. . . olaitis a d .Y. ardi. I fi itar logics a d - la s. 7 / r ti 

t ti ,9 (2):25 -294, 992. 

a d ussch a d . ar da s. h pr ssi po r of co pi alu s i 

o j ct- as d data od \s. I f r ti t ti , 2 :22 -236, 995. 

9. . a d ussch , . a ucht, . dri s, a d . ss s. O th co pi - 

t ss of o i ct-cr ati g data as tra sfor atio la guag s. r I f th , 

44(2):272-3 9, 997. 




ri c 1 



i i ri 



ri 



o en and . lissenko ’ 

ni ersit aris- 2 
ept. of Infor atics 
6 . du en. de aulle 

94 , retell, ranee 

{cohen, slissenko}@univ-parisl2 . f r 
t. eters nr Institute for 
Infor atics and uto ation of 
ussian cade of ciences 



s r . is ork is an atte pt to appl ure ic stract tate 
ac ines et odolo to t e erification of refine ents of real-ti e dis- 
tri uted as nc ronous al orit s. e define refine ents folio in t e 
se antical fra e ork of o ser a ilit , o e er, it respect to c osen 
pieces of t e pro ra . e ti e e consider is continuous as our oti- 
ation is related to s ste s of control t at are usuall specified it in 
continuous ti e fra e ork; t e sa e fra e ork is alid for discrete ti e. 
e re ark t at refine ent of ti ed pro ra s is not a si pie replace- 
ent of a part of a pro ra akin it ore detailed, s an e a pie 

to illustrate t is e take a port’s aker 1 orit it real-ti e 
constraints. Ho e er, one of t e ke questions related to t e erification 
of refine ents is t e preser ation of erification proofs for t e non refined 
initial al orit as uc as possi le en erif in t e refine ent. is 
is t e case for t e notion of refine ent e define. e introduce a notion 
of as nc ronous ti ed distri uted al orit , define its se antics and di- 
scuss in at lo ic can e e pressed its functionin . en e introduce 
notions of refine ent, and consider a refine ent of interprocess co u- 
nication of real-ti e a port’s aker al orit usin parallel essa e 
e c an e. uc a refine ent, contrar to our intuition, de ands so e 
non e ident transfer ation of t e initial al orit to ake it correct. 



I r c i 

e goal of t is paper is to define as nc ronous ti ed algorit s and t eir re- 
fine ents. o illustrate our s ste of notions e stud a concrete algorit , 
na el a real-ti e ersion of a port’s aker , it in t is fra e ork. (In fact, 
t e notions e introduce, are intended to odel ore co pie algorit s, co - 
posed fro an odules it non tri ial as nc ronous interaction.) oug 
t e classical notion of as nc ronous algorit does not a e an etric ti e 
constraints, practical i pie entation of sue an algorit usuall cannot a e, 
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sa , unli ited dela s, and to be practical, so e ti e constraints a be neces- 

sar , at least at so e le el of refine ent of sue an algorit . oreo er, t e 

ti e is er intuiti e, and t is is one of t e reasons ti e argu ents are 
largel used in reasoning about distributed algorit s. 

at is ore i portant concerning t e ti e, is t at it often appears in 
initial require ents specification, o if e re rite ir t t e initial specification 
using ti e one can ardl require for al justification of t is passage, but if 
e i i at ti e t en, clearl , e if t e initial specification, and t is 
odification is to be justified, ut for al justification ill de and an adequate 
notion of ti e to e press at e are odif ing. or e a pie, a port in [7] 
rites, gi ing a require ents specification of t e critical section proble : ” t 
a ti at ost one co puter a be in its critical section”, learl , e 

can directl re rite it as t{ S{t p) = S{t )), ere t is a ti e 

ariable, p and are ariables for processes and S{t ) is a predicate ic 

states t at ’’process is in critical section at t e o ent t”. nd t at is o 

e proceed ere. 

e paper [2] b . orger, Yu. ure ic and . o en eig as a star- 
ting point of our ork. e use t e et odolog of ure ic bstract tate 

ac ines ( ) and not tee act notion fro , sa , [6]. ore precisel , e 

asse ble in t e st le of a ini al notion sufficient for our goal fro 

si pie progra ing constructions starting fro assign ents as used in 

e et odolog gi es basic principles o to define se antics of sue 

algorit s. o be adequate to a port’s te t [7] e introduce as nc ronous 
e ecutions of our distributed algorit s it dela s. o gi e to t e algorit 

a real-ti e fla or e consider ere restricted dela s, and t us, slig tl de iate 

fro t e original a port’s aker . 

it in our se antics tea port’s aker algorit re ritten in our s - 
ste of notations can be pro ed to be correct folio ing a port’s original proof. 

Ho e er, our ain goal is to define a notion of refine ent of practical sig- 
nificance and to stud et er t e erification proof for t e non-refined initial 
algorit can be preser ed for t e erification of t e refined one. In our defini- 
tion of refine ent e folio t e idea of obser ational equi alence related to so e 
structural properties of t e progra . nd for t is notion t e proof preser ation 
entioned abo e takes place, onstructing a correct refine ent re ains a non- 
tri ial proble , and e illustrate it b gi ing a refine ent of co unications 
in real-ti e a port’s aker . e also re ark t at a straig tfor ard ‘local’ 
replace ent of operators t at e is to refine b t eir refine ents does not 
gi e a correct refine ent. 

oug t e notion of refine ent as studied in an papers (e. g. see 
[9, ,3, , ]), our notion treats real-ti e algorit s, ere t e ti e can be used 
it out an restrictions and t e refine ent itself is being done it respect to 
c osen pieces of t e progra . ese properties are oti ated b t e anal sis of 
practical refine ents and t e erification proble , and all t is differs our notion 
fro t e notions of refine ent considered in ot er papers, or e a pie, in t e 
paper [ ] t e ti e is represented onl as ticks. e properties of sue s ste s are 
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described in ( eal-ti e e poral ogic) ere concrete bounds on t e 

nu ber of ticks are ad issible as real-ti e constraints, reating refine ent as 
an obser ational equi alence t e ant or pro es a t eore about preser ation of 
properties under t is equi alence. e li ited for alis s of [ ] a a e so e 
algorit ic ad antages, but e look for for alis s t at per it to e press uc 
ric er properties. 

e anal sis of refine ents and refine ent appings in [ ] defined in ter s 
of runs of state ac ines tone es an subtle questions in a se antical fra e- 
ork. state ac ines fra e ork it an co positionalit properties is also 
de eloped in [ ] ai ed at co piler construction. 

aper [3], ic gi es an references on t e stud of t e refine ent, is 
concentrated on interacti e s ste s and co positionalit . ere is no ti e e - 
plicitl in ol ed. it respect to co positionalit our case is different because 
of real-ti e constraints, and e a e not et studied t is topic. 

c r i ri ri ir 

i ic 

Introducing e plicit ti e e pursue t o goals: first, to gi e a unified and intuiti e 
ie on se antics and erification proofs and, second, to gi e possibilit to 
introduce ti e constraints in specifications of algorit en refining it or en 

aking precisions of initial for ulation. 

s c r us istri ut rit iti 

e ocabular of a language to describe as nc ronous distributed ti ed algo- 
rit s (furt er, si pi ’’algorit s”) consists of sorts and functions (predicates 
are treated as a particular case of functions). part of t e ele ents of t e oca- 
bular ill a e a predefined interpretation, and t e re aining ele ents ill be 

called a stra t. ong abstract functions t ere are distinguis ed z t or t t 
ones, t e t o sets being disjoint. relation bet een input and output functions 
constitutes t e ain part of t e specification of functioning of t e s ste under 
consideration. 

rts. e sort ti e ill be interpreted as K. , and ill be a subsort of t e 
sort of reals K.. e sort is interpreted as an ele ent ic is greater t an all 
t e ele ents of . e sort is }, and sort is considered as subsort 

of . e sort ool denotes oolean alues. ere can be ot er sorts t at are 
presu ed to be abstract and finite, ac sort is supplied it a set of ariables, 
t ese sets are disjoint for different sorts. 

u cti s. re-interpreted constants for reals are all Q. ullar function T 
represents t e current ti e. elations <} for and are usual, and t ere 

is equalit for eac sort, bstract functions (ot er t an predicate of equalit ) 
can be of t pe , ere is a product of finite abstract sorts, and is 

an arbitrar sort. 

e abstract functions are partitioned into t r a and i t r a . ternal 
ones are t ose t at cannot be c anged b algorit , internal ones are t ose t at 
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can be c anged b algorit . ternal functions t at depend on ti e are i t 

functions. Internal functions of ero arit , also called or functions, pla t e 
role of i tifi rs, as ell as ter s f{X) for a fi ed alue of its argu ents X. 

e entioned argu ents X can be ie ed as para eters. Identifiers f{X) and 
/( ) are different ii X = 
ta . 



T m ::= I un t on{T m ... T rrin), 

ere and in t e ne t line un t on is an n-ar function s bob 

Int n IT m ::= Int n I un t on{T m ... T nin). 
o mul ::= standard first order for ula. 

Gu ::= or ula it out ti e or real ariables. It ust be eit 
a a e free ariables oj bounded b r u) O, see belo t 
of t e operator. 

rlss nm nt ::= Int n IT m := T m. 
s hr s ti istri t a g rith o er a ocabular 

t e for {In St t ... n}), ere In St t is a for ula defining initial 

state, i. e. t e alues of all t e abstract functions of (at ti e if a function as 
a ti e argu ent),andeac i is a r gra or r ss t at is defined belo .( e 
use t e ord ’’operator” ere in progra ing languages one uses ’’state ent” 
and ere Yu. ure ic [6] usuall uses t e ord ’’rule”.) 



er closed or 
e definition 



is a pair of 



o m 
Op to 
q Op 
ar Op 
If Gu 
p at Op 
tensions of t 
( ) ar r to 



= r Op to 
= Ass nm nt 
to ; . . . ; Op to 
to ... Op to 

Op to If 
to ti Gu 
e s nta like 
12 Op (w) . 



q 

ar 



set, (2) p at Op to 



p at 

• • • Opk{uj) 
at, a e ob ious 



" defined abo e 

- sequential block 
- parallel block 

- conditional operator 

- repeat operator 

ar, ere 17 is a finite 
eaning. 



. i a tics f s c r us istri ut rit s 

e se antics e define presu es t at t e actions are i sta ta s, but bet- 
een consecuti e actions t ere is a o . I posing different constraints on de- 
la s e can ar details of t e se antics. e assu e t at dela s are bounded 

and can be different for different operators, ot to co plicate t e situation 
too uc , e suppose t at t ere are t o dela s: one for ’’internal” operations 
of a process, and t e ot er for ”e ternal” infor ation e c ange. at eans 

t at assign ents or guards t at use infor ation fro ot er processes a e ”e - 

ternal” dela s. e assu e t at t ere are positi e constants mt and ext t at 
gi e bounds on t e entioned dela s: t <mt t ^ t t < {t + int) and 
t <ext t t t < {t+ ext)- e notation t <deiay t ill ean t at t e dela 
bet een t and t can be deter ined b s ntactical criterion: t e dela is internal 
if t e concerned operator deals onl it t e identifiers of t e sa e process, or 
e a pie, an assign ent of a process is classified as e ternal iff it is of t e for 

f{p) := 0 , ere / is an internal function of , and eit er t e ter s of list fj 

or ter 0 contain functions of ot er processes. In t is case e tacitl presu e 
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t at t e process as to send a quer to anot er processes to get t e necessar 
infor ation, t at i plies an e ternal dela , and t en to recei e t is infor ation, 
t at contributes again to t e e ternal dela . i ilar for guards. 

e ark t at e can eli inate Zero runs if e i pose a positi e lo er bound 

on dela s. 

e se antics is defined b a propagation of ti e o ents of e ecution 
of operators and b defining si ultaneousl t e alues of internal functions. 

0 si plif t e presentation e ill gi e first t e rules of propagation of ti e 

t oug , strictl speaking, so e of t e in ol e results of function e aluation. 

elo o stands for o m, Op stands for Op to . 

1 r pa ati u s. 

Intuiti e eaning of ertical arro s belo is as folio s: “Op (t)” cans “t is 
t e ter ination ti e of t e operator”, “ {t)Op" eans “t is t e start ti e of 

t e operator” . ouble arro is used en t e algorit takes alues or c ange 

alues. o (t) goes do n to an assign ent,isc anged to (t),andt e latter goes 
up to t e end of t e operator. bol eans tee pression at t e left can be 
re ritten as an e pression at t e rig t of . elo t is arbitrar o ent sue 
t at t >int t, and t t are arbitrar o ents sue t at t >deiay t >deiay t. 

i en an algorit {In St t o ... o ^}) its i itia ti istri - 
ti is ( ) o ... ( ) o ^}. 

e folio ing transition sa s t at t e e ecution is finite and alts: 

o ( ) ... o ^ ( )} o ... o n} { )■ 

{t) r r (t). (t) r r ( )• 

(t) q q (t). (t); ; {t). {t) q Q (f )• 

(t) ar Op ... Opn ar ar {t )Op ... ar 

for an t ... >i„t t. 

arOp {t ) ... Opn {tn) ar 

avOp ... Opn ar (t ) for an t >mt a t ... t„}. 

(t)If If (t). {t) If If {t). 

If {t)Gu Op If If Gw tt(0 Op If. 

If Gw TTW Op If 

If Gw {t )Op If if Gw (t) is true 

If Gw Op If (t ) ot er ise. 

{t) p at p at (t). {t) ti ti {t). 

p at Op ti {t)Gu p at 

p at Op ti Gw TT (O P 

p at Op ti Gu ft (t) p at 

p at {t ) Op ti Gw p at if Gu (t) is false 

p at Op ti Gu p at {t ) ot er ise. 

{t) 0 :=e e^{t):=e. e^{t):=e 0 :=a{t)e. 

0:=il{t)0 0:=0 {t). 

et 0 = f{rj ... rjn), ere / is an internal function, o c ange t e alue of 
0 e are to find t e alues of argu ents p . . . p„ of / and t e alue of 0 to 
assign, e take all t ese alues at t and ha g t e alue of 6* at t >deiay t . 
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iti f u ( a tics f rit s). 

e consider arbitrar inputs. e internal functions in our definition belo ill 
be piece ise constant it pieces being left-open rig t-closed. uc a definition 
as elaborated for anot er t pe of in [4]. 

i en an algorit A, an interpretation of sorts and alues of inputs satis- 
f ing In St t for t = , an e ecution of A for t ese inputs defines t e alues of 
its internal functions (t) at least for so e prefi of t at toget er it t e 
inputs constitute a t run {t)}t of t e algorit . oget er it 

e ill define ot er notions, eit er au iliar or gi ing ore detailed infor ation 
on t e e ecution of t e algorit to use t e in t e anal sis of refine ents. 

learl , t e run (t) ic is defined at t deter ines an interpretation of 
t e ocabular . e ill denote b /[ ], ere is an interpretation of a part 

of t e ocabular containing /, t e interpretation of / gi en b . or e a pie, 

/[ (t)](X) or f{X)[ (t)] is t e alue of f{X) as defined b (t). e e tend t is 

notation on ter s in a usual a . If e a e an interpretation (t) of for e er 

ti e o ent e can define for eac / : an interpretation of its 

ti ed i age / : x (s bol / is in so e ot er ocabular ) as 

/ {t X)[ ] = f[X)[ (t)]. onsider an algorit A={InSt t ... at}) 

o er . e assu e t at t e initial state of A uniquel deter ines t e alues of 
internal functions at ti e being gi en an input, et t e e ternal functions be 
gi en and suppose t at t e algorit starts its e ecution. enote b (t) t e 
alues of internal functions at ti e 1 1 at are to be defined for t > . n internal 
function can be c anged onl b assign ents. o e look for t e o ents of 
ti e at ic t e assign ents are e ecuted. e assu e t at all t e guards 
and operators occurring in A are enu erated so t at e can speak about t eir 
occurrences. default, en entioning a guard or an operator e ean its 
occurrence in A. 

ppl ing i e ropagation ules to t e algorit A, starting fro initial 
ti e distribution, e get an e pression t at is a list of progra s it occurrences 
of arr r ssi s (t), (t). Ait) and 'ft (t) for concrete o ents t. uc an 

occurrence of ti e ill be called arr rr . n algorit it arro 

e pressions ill be called ti a g rith r ssi ( e ark t at to 

ake an assign ent e take t e alues of all in ol ed ter s at t e sa e point, 
ut t e c anged alue ill be alid onl after t is o ent and on a left-open 
inter al. o e ori e t e alue to assign e introduce for e er o ent T an 

au iliar alue (T). o to define a run e define si ultaneousl (t), (t), a 

sequence of (fc) and so e ot er notions. 

{k) ill be denoted t e obtained after k applications of i e 

ropagation ules. e define b induction on /c ti e o ents Tk, s (fc), 

functions (t) for t < Tk, (t) for t Tk and also: 

- for e er operator Op e define t e set Int[Op Tk] of its inter als of 
e ecution of t e for [ ) b describing consecuti el t eir left and rig t ends 

and situated to t e left of Tk, 

~ for e er internal function / of t pe and X e define a set 

l[f X Tk] of alues to take as f{X) at so e o ent greater or equal to Tk, 
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and t e predicate Tm[f X Tk] ic sa s t at is a o ent to c ange t e 
alue of f{X). default, e er ele ent of t e set I is deleted fro t e set 
after a ing been used. 

- for eac occurrence Ass n of an assign ent of t e for fijj) := 9 e 
define a function A [Ass n Tk] t at gi es X for ic t is assign ent is to 
c ange f{X) at Tk or later. 

i e ropagation ules are being applied to eac occurrence of in (fc). 

o si plif t e recursi e definition, e tend to t e left of b , sa , so e 

, and set r = , take (t) for t [ ] as defined b t e initial state, set 

(t) =() for t [ ) and ( ) = ( ) ... ( ) n}- U t e entioned 

sets are e pt for T and predicate Tm is false. 

uppose t at Tk- , and all t e entioned functions and sets, a e 

been defined for Tk- for so e fc > . et Tk = M nTm{ {k — )) be t e 

ini u of arro ed occurrences of ti e in {k — ). If Tk- Tk t en first 

appl ( p ate) and t en ( ropagation) as described belo , ot er ise appl 

directl ( ropagation). e procedure ( p ate) is applied en all ini al 
ti e occurrences it t e sa e alue a e been eli inated - in t is case t e 
ti e ad ances, and e ake updates and e tend all t e alues to t e ne t 
ini al ti e. 

( p at ) or all internal function / : and for all X sue t at 

Tm[f X Tk- ] do: if # l[f X Tk- ] > t en run is undefined for r > 

Tk- ; if l[f X Tk- ] = u} t en set / (r) = v, ot er ise set / (r) = 

L ftL mt T - f (t) for r [Tk- Tk). us (r) is e tended for r 
Tk- o set (r) = {Tk- ) for r {Tk- Tk]. fter t at, eac used set 

l[f X Tk- ] beco es e pt at Tk, and t e ot ers are e tended to Tk. 

( r pa ati ) If t ere is an occurrence of t e for 6 :=JJ, {Tk)9 take it, 
ot er ise take an arro ed occurrence of Tk, and act according to t e case: 

( . ) {Tk) 9 := 9 . eplace t is occurrence b 9 X\ {t) ■= (^ c oosing arbitrar 
t ^deiayTk. e point Tfe is t/i ft fitraf ti oft e assign ent 

under consideration. 

( .2) 6 > tt {Tk) ■= 0 , ere 9 = f{rj ... ? 7 „). et X = (77 ... rjn)[ {Tk)] 
and V = 9 [ {Tk)]. dd v to l[f X Tk] and set A [Ass n Tk] = X , 

ere Ass n is t e occurrence of 9:=9 under consideration. en c oose an 

t >deiay Tk and replace ( .2) b 9 :=JJ, {t)9 . 

( .3) 9 :=U {Tk)9. et Tm[f X Tk] and /[/ X Tk] = l[f X Tk- ] 
for AT = A [Ass n Tk- ]. eplace e pression ( .3) b 9 := 9 (t ) for an 
t ^intTk. e point t is th right fitraf ti oft e assign ent 

under consideration. 

( ) ccurrences of {Tk) and {Tk) different fro t at of ( ). ppl i e 
ropagation ules in a e ident a . et l[f X Tk] = l[f X Tk- ] for all 

X and A [Ass n Tk] = A [Ass n Tk- ] for all Ass n. e inter als of 
e ecution of operators are defined also in a straig tfor ard a , sa , {f) q 

gi es t e left end for t e operator starting it t is q, and q {t ) 

corresponding to t is q gi es t e rig t end of t e inter al of e ecution. 
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ac application of t e propagation rules as entioned abo e gi e a ne 
ic is, b definition, (k), and e set {k — ) (fc). 

e induction step of t e definition is o er. 

run is t ta if it is defined o er or }. ere are 2 reasons to get 

non total run, na el , inco patibilit of assign ents or Zero run, i. e. a run 

ere Tk < oust for k . induction t at folio s t e definition of 
run one can pro e 

a I a t ta r th a s f i t r a f ti s ar i is sta t 

itrasfthfr {t t] t t . 

.3 ic pr s tati f us 

uns of an as nc ronous distributed algorit A can be described as t e set 
of odels of so e logical for ula. e sketc a first order ti ed logic o er so e 
ocabular to gi e sue a description, ur approac ere is straig tfor ard 

and see s to be less efficient fro t e point of ie of proof searc t an t e 

logic in [4] for s nc ronous block 

e s nta of t e logic e consider consists, in a a , of t o sublanguages 
and . e language corresponds to t e language of A, and describes o 
ti e propagation rules deter ine runs. us, gi es an interaction of s ntactic 
part of t e ti e propagation it t e alues of argu ents and functions, o e 
are to distinguis , sa , ter as a ord and t e alue of t e ter . In particular 

for t is reason, e assn e t at does not use ti e ariables. 

otice t at, gi en an algorit , e can rite do n all occurrences of its 
processes and operators. Op belo e ill denote a eta- ariable for sue 
occurrences. e could take a logic ere Op ould be a ariable, but sue a 
logic ould be ore co plicated fro t e point of ie of for al erification. 

e ocabular of as t e sa e sorts as t e ocabular of t e 

sa e constants (static nullar functions) and in place of a function / of t pe 

it as a s bol / of t pe x 

e ocabular of is a ocabular to rite do n s it ti e 
ariables in arro e pressions. It contains ocabular taEi ords o er ic , 
i. e. t e set TAB’ contain all s. ut e need also para eteri ed . e 
latter ill be represented b ter s built it t e elp of concatenation fro 
constants representing ato s to construct s (ke ords, deli iters, arro s 
etc.) and fro ariables for ords and ti e. us, ti e ariables are treated 
fro t e point of ie of t eir alues en speaking about relations bet een 
s (equalit , occurrence etc.), unctions and predicates of per it to de- 
scribe occurrences of operators, t eir for , occurrences of arro ed e pressions, 
argu ents etc. n occurrence of a ord in W can be described b t e nu - 
ber of its first position in kb or as ( ) or ( ) etc., ere brackets 

and CO a used ere are supposed to be not in t e alp abet of W. 

e assu e t at eac occurrence of operator in bl as a na e, and Op ill be 
used as a ariable for sue occurrences, etters F, , , , kb ill be ariables 

for ords o er tae, f a eta- ariable for internal function ic t pe ill be 
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denoted as , X a, list of ariables of sorts , v a ariable for alues of / 

and T, t, T ... ti e ariables. 

e description of run gi en abo e can be ritten as a for ula t at defines 
a unar predicate T A o er TAB’ binar predicate , predicates 

Int{Op t [ )), l{f X t v),Tm{f X t) and function A (Ass n t) cor- 

responding to sets and function it t e sa e na es used in t e definition of run 
( ere Ass n and Op are eta- ariables, t us e a e a function A Assignit) 
for eac occurrence Ass n of assign ent and si ilar for Int). 

o run is a function of ti e and is represented as a finite set of s bols 
/ , eac / being of t e t pe x and corresponding to / : of 

t e ocabular of A. o represent e use s bols / of t pe x 

e describe o to rite a for ula representing runs it co ents con- 
cerning t is description, irst, e rite a conjunction of for ulas related to t e 

initial state. 

( unini) t ( ]In St t { (t)), initial alues of functions constituting 

(t) for t [ ] are deter ined b t e initial state. 

( un lusini) t [ ) (t) = ( ), ere e define t e initial alues of 

functions constituting (t) for t [ ]. 

( Ini) TA ( ( ) ... ( ) at}) defines t e initial 

( ec ftini) is t e left end of inter al of e ecution of o j, < j < N. 
(Value o ssign) or all internal / : and X predicate 

l{f X t v) is f Is for alH [ ] and for all v of sort of alues of /. 

is just described for ula is connected b conjunction it t e for ula 
belo describing a recursi e step. is for ula is a conjunction of 2 for ulas - 
one corresponds to ( pdate) and t e ot er to ( ropagation). 

otations: = Tm{f X T). ledicate t = M nTm{W) eans “t is t e 

ini u of ti es t at occur in arro ed e pressions of IV” . 

( p at ) e prefi /\f T T F Vvis folio ed b i plication fro 
{TA (F) TA { ) T = M nTm{F) T = M nTm{ ) T T F 
l{f X T v) to: 

T [TT) { f {tX) = v 

(- (/ {t X)=L ftLmt Tf {t X) l(fXTv) 

T {TT] f {t X) = f {T X) 

( r pa ati ) is for ula starts it T t F and so e ot er 

uni ersal quantifiers of ore tec nical nature ( e do not ention t e ) and as 
as its scope an i plication. is i plication as as its pre ise 
{TA {F) T = M nTm{F)) and as its conclusion a conjunction of for ulas 
describing possible situations ere one can eet an arro ed occurrence of T. 
ese situations correspond to ti e propagation rules as in t e definition of run. 
e consider onl 3 situations ( )-( 3). 

{ ) F = If Gu ft {T) Op If , ere and gi e t e 

global conte t of t e occurrence of tf (T) under consideration, Gu and Op are 
a concrete guard and a concrete operator of A. e take t e for ula Gu (T) 
t at is constructed fro Gu b replacing all ter s of t e for f{r])h t eir 
ti ed ersion / (T rj ); t e operation goes do n to ariables and constants 
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t at it does not c ange. o e continue riting t e for ula: Gu (T) and 
T <deiay t and = If Gu {t)Op If i plies TA ( ) and 

r and tee tension of I, Tm, A to t. 

{ 2) r = 0 tr {T) ■= 0 , ere 9 = f{r] . . . r]n). et v =9 (T) and 

X = {rj ... r]n) (T). Here, in addition to t e discourse concerning , TA 
and , e set l{f X T v ) and A (Ass n T) = X . 

( 3) r = 9:=\X (T)9 . Here in addition to defining TA ( ) and T 

e sa t at for all v sue t at l(f X T v), ere X = A (Hss n T) and 
Hss n is t e assign ent under consideration, t ere take place Tm{ f X T) 
and l(f X T v). 



ic i 



3. ts 

refine ent of a distributed algorit is not a si pie replace ent of an opera- 
tor b anot er one ic is, in a a , ore detailed. oug sue a replace ent 

can take place, t ere a be ot er c anges in t e algorit being refined. e 

ill see it later for a port’s aker . e define refine ent se anticall , in ter s 
of runs. 

ssu e t at t e runs under consideration are total, and t e functions of t e 
ocabular do not a e u / as t eir alue. 

et be t o ocabularies of t e t pe described abo e. run o er 

a ocabular W is an interpretation of sorts and a apping t at gi e for an 
t a alue of f(X*) for eac / : for e er X* *, ere 

* denotes t e interpretation of sorts . o suppose t at an interpretation of 
sorts is fi ed, t at eans in particular, t at e er sort in is interpreted in 

as in 

r j ti of a run tp o er onto (notation: p ojv(p )) is t e run t at 
is t e result of deleting fro ip all identifiers of \ 
et A and A be algorit s respecti el o er and 

e is to CO pare runs of A and its refine ent A odulo refined opera- 
tors. s t e latter are onl in A but not in ^ e are to use so e abstraction of 
runs of A and t at of ^ odulo so e sequence of inter als (corresponding to 
t e inter als of e ecution of operators to refine) supplied it sets of identifiers 
(corresponding to t e identifiers being c anged b t ese operators). 

peration W takes as its argu ent an interpretation p of ocabular 
W (in particular, a run of ^ or t at of ^ ) and a finite set of pairs ^2 = 
(o^i i)} i m, ere eac at is a sequence of disjoint ti e inter als (in in- 
creasing order) and eac i is a finite set of identifiers of W different fro input 
or output ones. e alue W (f2 p) is a, apping p fro ti e to alues of p 
e tended it u f obtained b t e folio ing procedure: for eac inter al ai(j) 
set t e alues of eac f(X) i equal to u f inside 

onsider a set S' = Op . . . Opm} of disjoint operators of A. enote b 
ai t e sequence of inter als of e ecution of Opi and b i t e set of identifiers 
c anged b Opi e cept t e output ones. is gi es t e set fi. 
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n algorit A is a, r fi t of A it respect S { rat rs t r fi ) if 
fore er run(/?of^t ere e istsaruni^ of^ sue t at (f? P ojv{<f )) = 
W (f? (p). 

Igorit A is a str g r fi t of A it respect of a set of disjoint 
operators of ^ ( rat rs t r fi ) if it is a refine ent of A and for e er run 
of A its projection into is a run of A. 

e disjointness of operators in t e definition abo e is not essential as an 
t o (occurrences of) operators are eit er disjoint or one is a part oft e ot er. e 
suppose, it out loss of generalit , t at t e ocabular of t e refined algorit 
intersects t e ocabular of t e initial algorit e actl at inputs/outputs, s 
a consequence of t e fact t at W do not tone inputs/outputs e a e 
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r fi 
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o illustrate o t e introduced notions of run and refine ent ork e consider 
a port’s aker Igorit for t e ritical ection roble fro [7] deleting 

all questions of fault-tolerance aguel discussed b . a port, e re rite it as 
as nc ronous distributed algorit , constituted b N progra s s o n on ig. , 

ere p[ : iV] is a local arra of process p, and t e strict order ( ) ( ) 

eans t at , or = and . e function hoos n ( ) ( ic role 

is slig tl obscure) in original a port’s aker is ensured b t e se antics, 
so it is o itted (as ell as in [2]). e idea of t e algorit is as folio s. 

process is ing to enter critical section ( ) gets a ticket {num ) calculated 

in line 3 and t en enters aker it t is ticket. en e is aiting until all 
pre ious tickets ere satisfied, and enters . ickets are natural nu bers, t e 
nu ber of processes in ol ed is N, Sp is a predicate indicating t at a process 
p in . Instruction Sp eans Sp := t u , ^ Sp eans t at Sp := f Is . 

e arra p ser es to get tickets of ot er processes. Ho p ac ie es access to 

num q is not discussed and ill be t e subject of refine ent. 

a port does not gi e rigorous se antics, ur algorit on ig. and 
se antics preser e t e ain idea of t e a port’s aker . o be ore precise 

it respect to a port’s aker e are to per it an arbitrar dela after 

line , o e er it does not c ange our reasoning on t e ole, so e do not do 

it. o in our case eac process e ecutes nrtm p\= infinitel often, olio ing 

[7] one can pro e, t at k As n satisfies: 

( afet ): p t{p= ~^( Sp(t) Sq{t) 

( o t o processes can be in at t e sa e ti e.) 

( i eness ): 

P t (num pit) > t {t t t+ ■ int+ -ext Spit) 

for so e natural constants and 

( ac process t at is es to enter e entuall enters t ere.) 

trictl speaking, ( afet ) and ( i eness) constitute onl part of require- 
ents specification, na el , specification of functioning. ere ust be present 
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BakeryAsyUp: 




Initial alues (IniState): numbevp = , -<CS, Xp{q\ = 

P 




- 


oor a : 

number p := ■, Xp[p] := ; 




2 


r r Xp[q\ ■.= number q\ 


r 


3 


;= + a q{a;p[<j]}; 




— 


aker : 




4 


number p := Xp[p]-, 
r r <1 7 ^ P 

p Xp[q] ~ number q 

i ( Xp[q] = V [Xp[p],p) < [Xp[q],q) ) 

p ; 

r 




— 


ritical ection: 
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CSp-, 
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^CSp-, 
number p ~ 

P 





i . . a port’s aker as istributed s nc ronous Igorit 



specification of en iron ent. ut in our case, as t e algorit as no outputs, 

t e en iron ent is represented b t e se antics of algorit 

rogra for eac p, s o n on igure , uses its local arra p[ : fV], 
and t e interaction of t e process p it is represented as t e assign ent 
p[]-.= num q. nr goal is to refine t is interaction and describe it in ter s of 
lo er le el interactions preser ing, o e er, a port’s ” ig -le el” proof of cor- 
rectness. o see t e proble better e ill refer to operator 2 as Num s{p p) 
and operator as o t {p p). 

3.3 t f a p rt’s a r it ara u icati s 

o e is to refine Num Sp and o t p for all p. In t e algorit s descri- 
bed abo e e a a e si ultaneous reads or rites, ut si ultaneous reads or 
rites i plicitl in ol es sol ing t e proble of critical section, so e are in a 
icious circle ic e is to a oid. In a port’s algorit t ere are t o t - 
pes of parallelis , one concerns t e interaction bet een processes, and t e ot er 
is t e internal parallelis of one process, o anage t e interaction bet een 
t e processes e ill use a standard co unication ediu of as nc ronous 
distributed algorit s (based on send/recei e essages). 

irstl , e introduce a ne sort, na el ssag . ac essage p. is a 
quadruple {m ss ^ ss s n out nts), eac co ponent being of 





46 



o en and . lissenko 



t e folio ing sort: m ss # N, ss s n o ss, ont nts 

N ?}. bol ? ill ean sending a quer on t e num 

e nu bering of essages is necessar onl to specif t e co unication 
ediu as a set - if t e essages are not nu bered e cannot distinguis t o 
equal essages sent at different o ents of ti e t at ust be recei ed t ice. 

e assu e t at a nu ber is attributed auto aticall and ill not ention it. 

M um is a finite set of essages of a priori non bounded si e. e assu e 

t at e er sent essage e entuall reac es its destination it in t e e ternal 

dela . o send essages a process p ake assign ent to one of its internal 

functions s n t at i plies i ediate sending of t is essage to M um. e 

essages arri ing at p are placed in one or se eral queues. tracting a essage 
is done b an assign ent of t e for := st u u ic i plies t at t e 
first essage beco es t e alue of and disappears fro t e queue. If t e 
queue is e pt t en t e alue gi en b st u u p is _L. ac queue as its 
on st u u . 

straig tfor ard a of refine ent of k A st is to replace eac 
p[ ] := num g b a sending/recei ing of essages preser ing t e en eloping 
parallelis . ut it does not ork, for e a pie in t e case of parallel co uni- 
cation, as defined belo , e a e en a e deadlocks or ot er isfunctioning 
(see e ark belo ). 

o odel parallel co unication facilit e introduce for eac process p 
functions s n p ^ (to send its queries), s n p ^ (to send responses to queries of 
ot ers), st u u p ^ (to recei e responses to its queries), st u u ^ ^ (to 
recei e queries of ot ers). In t e description of en iron ent one is to include 
t o queues for eac p\ u u p ^ and u u p 

e refine ent it parallel co unication is on t e ig. 2 and is self- 
e planator . 

r g rith a r f is a str g r fi t f a r s if its 

a s ar a r riat i i ish (that a asi sti at ). 

r f. e pro e t o assertions arked belo b ( ) and ( ). 

( ) uns{ k fn ) : p oj{ ) uns{ k As n). 

ropert ( ) is i plied b t e t o folio ing clai s ic are consequences 
of t e fact t at e er sent essage arri es at its destination it in t e dela 
ext, and t at e er quer fro anot er process ill be responded. In t e latter 
case t ere a be so e internal dela before sending a response, but a ing 
been sent, t e response ill reac its destination it in t e e ternal dela . e 
do not esti ate concrete dela s as t is is e ident. 

ai . If [t t ) is a i t r a f ti f rat r p i th r 
ih pi ](Tg) = num ^(t,) f r s t Tq t . 

r f. uppose t at p as sent a quer to e ecuting Op to 2. ere is 

a o ent of ti e sue t at u u q p contains ?. s eac process repeats 

Op to 9. , e can consider t at t e alue of Wq^p fro t is o ent of ti e 
is ?. us sends its num to p it in dela 0{ i„t). 

e ediu ill pro ide u u p q it num q and t us, t e assign ent 

p^q := st u u p q ill gi e num g as t e alue of p^q and furt er as t e 




On erification of efine ents of i ed istri uted 1 orit s 47 




i . . a port’s aker it arallel o unication. 



alue of p[ ]. It is clear t at to send/recei e a essage t e algorit spends at 
ost 2 ext ti e plus so e ore dela s mt- e ark t at eac u u q^p as at 
ost one ele ent at a gi en o ent. ■ 

ai . If [t t ) is a i t r a f ti f rat r p i th r 

th fra = p ha p[ ]{Tq) = num q{Tq) f r S t Tq Tq t 

« ( p[ ]K) = { p[p]{t) P) ( p[ K^-g) ) frs t t. 

r f. s in t e pre ious proof, using t e properties of t e ediu , one can 
easil deduce lai 2. ■ 



( ) uns{ k As n) 

W {p oj{ )) = W ( ). 



uns{ k fn ) : 
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et uns{ k As n). e construct b induction on t e c anges 

of t e alues of . or t e o ent t e initial alues of t e bot considered 

algorit s are co patible. learl t e onl cases to consider are tee ecutions 
of operator 2 and operator of t e k As n algorit ic are refined 

b k fn . e ark t at identifiers of operator 2 and operator of diffe- 
rent processes are different, and inter als of e ecution of operator 2 and t at of 
operator for t e sa e p are disjoint. 

e take an inter al = [t t ) of e ecution of operator 2. nd it in t is 
inter al of ti e, e construct an appropriate e ecution of k fn . ake all 
t e o ents Tq and in sue t at p[ ]{Tq) = num q{Tq) for k As n. 

irstl , e c oose dela s sue t at for eac , Op to 2. ends before 

sa at tq in k /n g t at is u u q p contains t e quer of p at ti e 

tq. en e can c oose dela s sue t at e ecutes Op to 9.2 and gi es 

(p num g(Tg)) as t e alue of s n ^p. en dela s are c osen so t at p 

e ecutes Op to 2.2 and 2.3 and finall gi es num qi^q) as t e alue of 

p[ ] at ti e Tq. e alue of t e arra p at t e end of is t e sa e in bot 

e ecutions of t e t o algorit s. 

e can deal in t e sa e a it operator . ■ 

eore s 2 and i pi 

r ar h r fi a g rith k fn satisfi s ( af t ) a ( i 
ss). 

ar . e ell functioning of a port’s algorit leans particular! 
upon ‘good’ CO unications bet een processes. If e is to ake precise sue 
e c ange of infor ation, t e er first idea is to focus onl on t e concerned 
operators t at is operator 2 and operator in ic co unications occur. 

Ho e er, t is idea does not lead to a correct refine ent. uppose e aut o- 

ri e onl co unications during t e inter als of ti e en t ese t o operators 

are running, s a consequence, a process can onl recei e a alue or greater 

as a response to its quer since during tee ecution of t ese t o operators 
num r = for an process . 

Hence, a run of a port’s aker , ere eac process sta s idle fro ti e 
it e ception of one o reac es critical section, cannot be a run of our 
‘refined’ algorit 

et p be t o processes and let us consider t e folio ing run of a port’s 
aker : 



num q{f) = 


for t 


[ 


) 


^ Sq{t) for t 


[ ) 






num p{t) = 


for t 


[ 


) 


num p{t) = 


for t 


[ 


2) 


num p(t) = 


2 for t 


[2 


4) 


^ Sp{t) for t 


[ 3) 






Sp{t) for t 


[3 4) 






num p(t) = 


for t 


[4 


) 


^ Sp{t) for t 


[4 ) 
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ere t e inter als of e ecution of operators 2 and for process p are respecti el 
[ 2) and, sa , [2. 3). 

n e ecution of t e ‘refined’ algorit e consider is supposed to a e t e 

sa e alues for num p, num q, Sp and Sq e cept during t ese t o 

inter als of ti e. erefore e ust a e num q{t) = and ^ Sq(t) for 
t [ ) [2 2. ) [3 ). o ans er to t e quer of p during [ 2), ust be 

running operator 2 or operator . o ill e ecute operator 2 during [ 2). In 

order to a e its nu ber back to alue , ust e ecute operators 3 before 

ti e 2 : it is not possible because during t at inter al of ti e, num p = and 
t e loop in operator cannot end. 

r c 
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I creasi gl , soft are is de eloped fro pre-e isti g co po e ts rather tha 
ei g uilt fro scratch, o po e t iddle are such as or a [2 ], [2] 

or a a- ea s [6] alio applicatio s to e co structed ith the help of i ar - 

CO po e ts a d foster the de elop e t of a co po e t arket [ 26 ]. o po- 

e ts ca also take the for of ser ices hich are i pie e ted as separate 

soft are s ste s accessed o er the i ter et [3 ]. 

ooki g e o d the tech ical details, co po e ts are parts hich e ist to e 

CO posed, he ost i porta t di ere ce ith respect to odules i traditio al 

top-do de elop e t is that future co positio s of a co po e t are u k o 
to the CO po e t’s authors, o e useful, a co po e t li rar therefore eeds to 
pro ide high He i ilit i co po e t reuse a d co positio . It has ee argued 
that this is a difficult task, i particular ecause the o ject-orie ted la guages 

used to i pie e t co po e ts do ot pro ide the right a stractio s [ ]. 

his paper e plores la guage desig issues i the area of co positio . e ar- 
gue that a CO po e t is co posa le o 1 if t o require e ts are fulfilled: he 

CO po e t eeds to e t a d its plugs should e rst ss s. 

CO po e t is t if die ts ca e rich its i terface after the co po e t 
has ee co structed a d deli ered. uch cha ges co sist t picall i addi g 
so e data fields or ethods hich the origi al co po e t did ot et support. 

he ethods are to e defi ed i ter s of the co po e t’s e isti g pu lie 

i terface. uch additio s should ot a ect a co po e t’s source code, fter all, 

source code cha ges die ts are i possi le for i ar a d ser ice co po e ts 

a d pose se ere ersio co trol pro le s for co po e ts e isti g i source for . 

he eed for adaptatio s arises ecause at the ti e he a co po e t is desi- 
g ed a d i pie e ted o e ofte does ot k o precisel i hich co te ts the 

ur a . ( ds.) , , pp. -6 , 

O pr g r- r ag r d rg 
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CO po e t ill e used, s a si pie e a pie, co sider the task of riti g a class 
for lists. hich ethods should this class o er? fairl s all i pie e tatio 

could e: 

ss ist[a] = { 

a a = ... 
tai ist[a] = ... 
is pt oo a = ... 

} 



f course there are a ore useful fu ctio s to e i eluded i the ist class, 
u ctio s to select ele e ts i side the lists, to for su lists, to co cate ate 
lists, to filter ele e ts accord! g to so e criterio , or to ap fu ctio s o er all 
ele e ts CO e to i d. urther ore, o e ight a t to treat lists as represe - 

tatio s of sets, i hich case e ership, u io , i tersectio a d set di ere ce 

also should e supported. d o e ca thi k of a other useful operatio s o 

lists, he hard questio is here to stop. e er [2 ] reco e ds a “shoppi g 

list approach” to class desig here esse tiall all useful ethods o e ca thi k 
of should e added to a a stractio . I the case of lists, this ould pro a 1 
lead to a hu dreds of ethods, a d e e the die ts of the list a stractio 
ill likel iss a ethod the require. It see s prefera le to pro ide a ore 
CO pact list defi itio a d let die ts custo i e this defi itio as the require. 

he criterio for a co plete class desig ould the e that e er useful ethod 
for the class e defi ed i ter s of the pu lie i terface, ot that the ethod 
ahead s defi ed. he “ca ”-co plete ess criterio is uch easier to fulfill; for 
i sta ce our si pie i pie e tatio of lists a o e is ahead co plete. 

a { 

P P 
P { 

f a tri 
ftp p 
f ati p 

p (s p pa tri ) 
t r (s p P s ) a ... 

p ( t r p ) p 



. . 1 a le dule 

s a other e a pie, co sider the task of co struct! g a co po e t for s ol 
ta les i a co piler. pecificatio sad algorith s for s ol ta les are pote - 
tiall porta le o er a co piler i pie e tatio s. igure sho s a sketch of 
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a ge eric i pie e tatio . Ho e er, it’s ot clear hat attri utes should go i to 
a s ol, as is illustrated the ... i the o t pe. learl , s ols ill 
ha e a “ a e” attri ute. e ight also settle o fields that co tai a s ol’s 
t pe a d locatio . ut there are also other pote tial attri utes hich depe d o 
the situatio i hich as ol ta le is used, or i sta ce, if our co piler has a 
code ge erator, s ols ill eed a field i hich to store their address. the 
other ha d, if the co piler is coupled ith a source code ro ser, e ight eed 
a additio al attri ute i a s ol hich co tai s the list of all usage poi ts 
of that s ol. gai , the precise defi itio of so e aspect of the s ol ta le 

CO po e t depe ds o the co te ts the co po e t is used. 

I classical structured progra i g, here data structures a d code are sepa- 
rated, s ol ta les ould e adapted cha gi g their code, filli g i the ... 
i the o t pe as required the applicatio . ut source code adaptatio 
is i possi le or at least u desira le i a co po e t setti g. urther ore, the 
ecessar adaptatio s to the s ol ta le odule also iolate the e capsulatio 
pri ciple, si ce fields eeded o 1 the code ge erator odule are placed i the 
CO o o data structure hich is accessi le to all. He ce, etter solutio s 

for adaptatio are called for. 

he other require e t for co po e ts has to do ith ho fie i 1 the ca 

e CO posed. e usuall regards the ru -ti e e odi e ts of a co po e t’s 

i terfaces as its “plugs” . I o ject-orie ted la guages plugs are ofte reali ed as 
o jects hich ha e ethods hich are accessi le to die ts. plug is rst ss 

if it ca e treated like a or al alue. I particular, o e should e a le to 

pass plugs as para eters to fu ctio s, a d it should e possi le to co struct 
data structures ith plugs as ele e ts. s a er si pie e a pie for this ki d 
of fie i ilit , CO sider the task of displa i g the i for atio associated ith a 
s ol. i ce there are so a di ere t de ices o hich this i for atio 

could e displa ed, it akes se se to split the task i t o. ols o 1 pro ide 
a ethod to tri g, hich co erts the i for atio associated ith the s ol 
to a stri g. I other ords, s ols support the i terface 

t p ri ta — { 

to tri g tri g 

} 



he , a displa de ice could pro ide a ge eral displa ser ice for o jects that 

“k o ” ho to tur their i for atio i to stri gs: 

pri t(o ri ta ) = ■■• 

If as such a de ice a d s as a s ol it ould the e possi le to 
rite .pri t(s ). f course, this assu es that s ols are alues that ca 

e passed to the pri t fu ctio . I particular, the t pe o ust e co pati le 

ith the t pe ri ta 
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. . upp rt f r adapta ilit a d first-class plugs. 



i ce adapta ilit a d first-class plugs are atural require e ts for soft are 
CO po e ts, o e ight e pect that ai strea la guages ould pro ide sup- 
port for oth. a e surprisi gl , this has ot ee the case so far. igure 2 

su ari es the state of the art, hich ill e further discussed i the e t sec- 

tio s. e though structured progra i g la guages such as da or odula-2 
pro ide support for odules, hich ca e see as a e odi e t of co po- 
e ts, the CO po e ts thus defi ed are either adapta le, or do the ha e 
first-class plugs. ject-orie ted progra i g leads to co po e ts ith first- 
class plugs, ut these co po e ts are ot adapta le. o ersel , the approach 
take a stract state achi es le ds itself to the co structio of co po e ts 
hich are adapta le, ut these co po e ts do ot ha e first-class plugs. ore 
ad a ced t pe s ste sad desig patter s ca i each case pro ide so e of 

the issi g fu ctio alit . efi i g o ject-orie ted progra i g ith ou ded 

ge ericit ca pro ide adapta ilit to so e degree, hereas refi i g fu ctio al 
progra i g a d ’s ith a co struct such as Haskell’s t pe classes ca 
pro ide so e of the e efits of first-class plugs. 

his paper prese ts s as a si pie tech ique to pro ide oth adapta ilit a d 
first-class plugs, he tech ique uses sta dard o ject-orie ted odeli g tech i- 
ques to odel first-class plugs. ie is a s tactic co struct hich pro ides 
e ethods for o jects of a e isti g class, thus pro idi g i pie e tatio s for 
additio al o ject i terfaces. ie s that e te d a co po e t ca e distri uted 
o er ar itrar die t co po e ts. 
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he discussio i this paper is i the co te t of staticall t ped la guages. s 
otatio for our e a pies, e use u el [24], together ith so e h pothetical 
e te sio s. 

he rest of this paper is structured as folio s. ectio 2 discusses stre gths a d 
shortco i gs of the a stract state achi e approach to soft are co positio . 
ectio 3 discusses the sa e for the o ject-orie ted approach, ectio 4 prese ts 
ie s. ectio discusses related ork a d ectio 6 co eludes. 



str ct t te c es 

he a stract state achi e approach re erses the usual relatio ship et ee 
fu ctio sad data, ather tha ha i g uta le data structures hich are ope- 
rated o i uta le fu ctio s, e ha e i uta le data, hich are operated 

0 oth uta le a d i uta le fu ctio s. his akes use of the folio i g 

a alog et ee fu ctio applicatio a d selectio . 

f{x) = x.f 

1 other ords, a data selector ca e see as a si gle argu e t fu ctio o er 

the selected data do ai a d rs . his equi ale ce akes se se o the 

left-ha d sides of assig e ts as ell: 

f{x) := E = x.f := E 

e ca thus re-i terpret assig e t of a e pressio to a aria le field f of a 

record as a update of a uta le fu ctio f at the positio . If e appl this 

re-i terpretatio co siste tl , e arri e at o 1 i uta le data, hich ser e as 

i de structures for possi 1 uta le fu ctio s. he i uta le data structures 

ca e descri ed as alge ras, hich leads to a si pie for al treat e t of state 
cha ge. his treat e t le ds itself to the erificatio of properties of i perati e 
progra s ith poi ters, hich are er hard to pro e other ise [23] . 

stract state achi es add to this the idea of specif i g cha ge a glo al 
set of rules, hich collecti el specif a e ecutio step, he questio hether 
e ecutio is descri ed a glo al set of rules or ore co e tio al state e ts 
ith CO trol flo co structs is irrele a t to the discussio i this paper a d ill 
he ceforth e ig ored. I a case, the a stract state achi e approach leads 
er aturall to co po e ts hich are adapta le. 

or i sta ce, co sider the questio hich fu ctio s to pro ide together ith 
a ist t pe. stract state achi e progra ers ould do the sa e fu ctio al 
progra ers do - the ould defi e ist as a alge raic data t pe hich ca the 

e accessed patter atchi g. si g u el as a otatio , the alge raic data 

t pe is e pressed as a ss ith t o s s a d the patter atch is e pressed 
a call to the at ethod of a list, or i sta ce, here is the defi itio of a 
list together ith t o represe tati e fu ctio s o er lists: 
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ss ist[a] = { 
s i 



s 


0 


s ( a a 


tai ist[a]) 


app 




( s ist[a] 


s ist[a]) = s. at { 


s 


i 


s 




s 


0 


s ( s ) 


ist. 0 s ( app ( s s)) 


ap 


[a 


] (f a ^ 


s ist [a]) = s. at { 


s 


i 


s 




s 


0 


s ( s ) 


ist. 0 s (f ( ) ap (f s )) 



} 

11 operatic s o er lists ca e e pressed i ter s of patter atchi g. He ce, a 
list operatic ca e placed i a ar itrar odule, a d e list operatic s ca 

e added i die ts of the list a stractio as eeded. I a ord, lists desig ed as 

alge raic data t pes are adapta le. his ight e too tri ial to e tio e cept 
for the fact that lists represe ted as o jects hich e port all their ethods are 

ot adapta le i the sa e a , as die ts ca ot add e ethods to a e isti g 

list, his poi t ill e further discussed i the e t sectio . 

he a stract state achi e approach also e sures adapta ilit for uta le fu c- 
tio s. or i sta ce, co sider the situatio here as ol ta le odule as gi e 
i igure is adapted to ork ith a code ge erator die t. he code ge erator 
eeds to ai tai ith each s ol its address, his could e achie ed de- 
fi i g a uta le fu ctio fro s ols to their addresses i the code ge erator 
odule: 

rar(s o)lt = 

he = part i the declaratio a o e defi es the i itial alue of the uta le 

fu ctio to e o er all of its do ai . he code ge erator odule could the 
e ter a s ol’s address a i de ed assig e t such as 

ar(s )= toa r 

a d it could access a s ol’s address calli g a r(s ). o cha ge to the 
s ol ta le odule is ecessar . urther ore, si ce addresses are dealt ith 
o 1 i the code ge erator, the defi itio of a r ca e kept local to the code 

ge erator odule, so that e ha e gai ed e capsulatio as ell as adapta ilit . 

his is all good e s. Ho e er, the a stract state achi e approach does ot 
satisf our seco d criterio , that co po e ts ha e first-class plugs, or i sta ce, 
e still ca ot defi e a ge eral pri t ser ice ith a ethod pri t(p ri ta ) 
hich ca e applied to s ols. I deed, either classical structured progra - 
i g or a stract state achi es pro ide a su t pe relatio hich ould let us 
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treat a o as a special i sta ce of the ore ge eral ri ta a stractio . 

his is ot a o ersight either, o e useful, the ri ta a stractio ust de- 
fi e a ethod such as to tri g, hich tur s a ri ta i to a tri g. He ce, data 

ust e a a stractio hich i eludes fu ctio s operati g o the data, his 

ie is at odds ith the data structuri g approaches of fu ctio al progra i g 
a d a stract state achi es, hich treat data as do ai structures for fu ctio s 
defi ed else here. I a se se our t o criteria of adapta ilit a d first-class plugs 
see to e at odds ith each other, irst-class plugs require groupi g fu ctio s 
ith data hereas adapta ilit requires groupi g fu ctio s separatel . 

he fu ctio al progra i g la guage Haskell [ ] pio eered the co cept of t 

ss s [29], hich ca to so e degree ake up for the lack of first-class plugs 

i fu ctio al s ste s. It ould e quite possi le to e te d this co struct to 
a stract state achi e la guages as ell. 

t pe class represe ts a shared propert of a set of t pes - alter ati el , it ca 
e ide tified ith the set of t pes hich satisf the propert . propert states 
that a t pe supports a gi e set of fu ctio s ith gi e sig atures. or i sta ce, 
here is a declaratio of a t pe class . 

t p ss ri ta r { 

to tri g a — > tri g 

} 



his states that a t pe elo gs to the t pe class ri ta if there is a fu ctio 
to tri g, hich takes a alue of t pe ad ields a alue of t pe tri g. pes 
eco e e ers of t pe classes e plicit st declaratio s. a pie: 

st ri ta o r { 

to tri g (s ) = ... 

} 



he st declaratio a o e declares o to e a i sta ce of t pe class 
ri ta ad pro ides the i pie e tatio of the to tri g ethod of ri ta 

e ca o defi e fu ctio s hich are pol orphic o er all t pes hich are 

i sta ces of a gi e class. a pie: 

pri t ri ta a a — > () 
pri t = ... to tri g ( ) ... 

his defi es a fu ctio pri t hich takes as para eters alues of t pe a, here a 

is a ar itrar i sta ce of t pe class ri ta . he call to to tri g i pri t ill 

i oke the ethod hich is appropriate for the co Crete t pe to hich the t pe 
aria le a is i sta tiated. or e a pie, if s is a o the the t pe aria le 
a is i sta tiated to o a d pri t (s ) i okes the to tri g ethod gi e i 

e use Haskell s ta e cept f r riti g p ss ere Haskell uses ss. 
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o ’s i sta ce declaratio . he t pe ri ta a a — > () is called a 
t [ 2] a d the ( ri ta =4>) prefi is called a t t. 

eprese ti g co po e t i terfaces as i sta ces of t pe classes, o e ca he ce 
rite ge eric fu ctio s hich ork ith a co po e t plugs hich are i - 

sta ces of a gi e t pe class, his ields a of the e efits of first-class plugs, 
ut so e shortco i gs re ai . irst, ge eric plugga ilit is achie ed i a so- 
e hat rou da out fashio . eco d, e still ca ot defi e data structures o er 
CO po e t plugs, o sider for i sta ce a data structure of lists hose ele e ts 

are pri ta le co po e ts, ot ecessaril all of the sa e t pe. e ight tr 

to e press this as a ist[ ri ta ], ut this ould e ill-for ed, si ce ri ta 
is a t pe class, ot a t pe. he qualified t pe ri ta a ist[a] ould ot 
do either, si ce that t pe descri es a list of o jects hich all ha e the sa e 

i sta ce t pe of ri ta . e could go further, e press! g heteroge eous data 

structures ea s of e iste tial t pes [ ] , ut this co es at the price of e e 
greater co ceptual co pie it . 



ect- r e t t 

I stead of start! g ith a adapta le architecture a d tr i g to e ulate first- 
class plugs, ai strea progra i g has i stead fa ored the o ject-orie ted 

approach, hich has first-class plugs uilt i , et eeds additio al pro isio s to 

achie e so e degree of adapta ilit . 

I o ject-orie ted desig a d progra i g, o e groups data (called st 
r s) a d fu ctio s operati g o the data (called t s) together i a 
o ject. ata a d fu ctio s collect! el are called the s of a o ject. here 
is a su t pi g relatio ( ritte < ) et ee o ject t pes, hich lets o e use a 
o ject ith a certai set of fields i a co te t here o 1 a su set of the fields 

is required, his pro ides all e eed for first-class plugs, or i sta ce, to ake 

s ols pri ta le, it suffices to ake the t pe o a su t pe of ri ta , 

hich requires the defi itio of a to tri g ethod i o : 

ss a = { 

ss o < ri ta = { 

... ( s as for ) ... 

to tri g tri g = a -|— I- " ” -I— I- tp.to tri g 

} 

} 

he e ca rite: 

s = a . o 



.pri t (s ) 
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re o jects also adapta le? e ight thi k so, ecause ith r t it 
is possi le to deli e a su class hich adds e fields to a e isti g class, or 
i sta ce, it is possi le to defi e i the code ge erator class o a e 

class o hich i herits fro the origi al s ol class as defi ed i odule 

a : 

ss o = { 

ss o < a . o = { 

r a r I t 

} 

} 

I sta ce o jects of class o . o ha e all the fields of origi al s ols, 
plus the uta le a r field, o it see s e ha e a aged to adapt s ol ta- 

le odules to a code ge erator die t. ut closer i spectio sho s us that this 
is ot reall the case, here are t o pro le s ith adaptatio through i he- 
rita ce. e co cer s t pes, the other o ject creatio . ooki g at t pes first, 
e otice that fu ctio ook p i our s ol ta le odule still retur s o jects 
of t pe a . o , ot o jects of t pe o . o . o the added a r 
i for atio does ot sho up i the t pe. 

ss ta { 



ss o . . . 

ook p (s op op a tri g) o 

} 

o access the a r field of a code ge erator s ol stored i the s ol ta le, 

e eed ad a ic t pe cast. I other ords, e ca gai adapta ilit o 1 

su erti g the t pe s ste , a d ru i g the risk of d a ic t pe errors, 

safer alter ati e akes use of t pe para eteri atio . or i sta ce, here is a 

re-for ulatio of the s ol ta le class usi g r t : 



} 



} 



ss o < ri ta = { 

... ( s as for ) ... 

ss a [s < o ] = { 

ook p (s op op a tri g) s = ... 
t r (s op op s s) oo a = ... 
op (o t r op ) op = ... 



he class for s ol ta les is o para eteri ed a t pe aria le s hich 
represe ts the actual t pe of s ols stored i the ta le. he o 1 require e t 
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o i sta tiatio s of s is that the are su t pes of o . o e glui g is eeded 
at the top-le el of a applicatio to i sta tiate the class to the right s ol 
t pe: 



s a = a [ o o ] 

he other pro le ith achie i g adaptatio ith i herita ce has to do ith 
o ject creatio . aki g our s ol ta le e a pie, e ote that e ha e ot 
looked et at code hich creates s ols to e stored i the ta le. et’s sa 
s ols are created duri g tree attri utio , i class ttr: 

ss ttr = { 

o( a tp) 

} 



his is ot et precise, ecause e ha e ot et specified hich s ol should 

e created duri g tree attri utio . If it is the origi al a . o that is 

created, e are issi g a a r if e a t to couple tree attri utio ith code 
ge eratio . the other ha d, if it is a o . o hich is created, e 
ha e hard ired the relatio ship et ee tree attri utio a d code ge eratio . 
o it ould e the tree attri utio part hich lacks adapta ilit , ecause it 
ould ot e a le to deal ith di ere t ki d of s ols, for i sta ce those 
required a source code ro ser. o o erco e this pro le , e ca ake use 

of the t r desig patter [7]. actor o jects ould ha ea i terface of the 
for : 

t p a tor [t] = { 
ak (...) t 

} 



here ould ha e to e a appropriate factor for e er su t pe of s ol hich 
is ei g defi ed. .g. i class o : 

ss o — { 

a tor a tor [ o ] = { 
ak ( a tri g tp p ) o = 

o o ( a tp) 

} 

} 



he ttr class ill e para eteri ed ith the factor hich is to e used for 
s ol creatio . e also ha e to para eteri e ttr ith the actual t pe of 
s ols to e created, his ields: 
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ss ttr [s < o ] (s a tor a tor [s]) = { 

s a tor . ak ( a tp) 



e ore glui g is eeded at top-le el, to o tai the correct i sta tiatio of 
the tree attri utio odule: 

s a = a [ o o ] 

attr = ttr [ o o ] ( o a tor ) 

he precedi g discussio has sho that it is possi le to o tai a certai de- 
gree of adapta ilit i o ject-orie ted desig s, ut this requires pla i g. If e 

had ot foresee the possi le later e te sio of the s ol t pe, e ould ot 

ha e pro ided the ecessar para eters for su t pes a d factories, he hooks 
ecessar for e a li g future e te sio s ca clutter progra s co sidera 1 , i 

particular if e e isage ultiple coe isti g e te sio s. or e a pie, the curre t 

co piler fra e ork ould e a le a si gle e te sio of o , sa for a code 
ge erator or a ro ser, ut it ould ot et e a le ultiple coe isti g e te - 

sio s, sa here as ol has oth a a r field for a code ge erator a d a s s 
field for a ro ser. ultiple e te sio s ca e supported stacki g e te sio s 

0 top of each other ut this requires e e ore co pie protocols. 

4 e s 

1 the pre ious t o sectio s, e ha e discussed t o progra structuri g e- 
thodologies hich ha e co pie e tar stre gths. ach ethodolog supports 

0 e of our t o criteria of adapta ilit a d first-class plugs, ut supports the 

other o 1 i co pletel a d at the price of co pie la guage features a d de- 
sig patter s. I this sectio , e propose a ore s etric co i atio hich 

ca address oth criteria equall ell. his co i atio arises tra slati g 
co cepts first de eloped for t pe classes i to a o ject-orie ted setti g. 

he co pari g t pe classes i fu ctio al progra i g a d o ject-orie ted 

t pe s ste s, e fi d so e stro g a alogies: 

t pe class « t pe 

i sta ce relatio « su t pe relatio 

i sta ce declaratio « su t pi g clause 

t pe class correspo ds to a t pe i the o ject-orie ted setti g. or i sta ce, 

1 stead of ha i g the t pe class ri ta , e ould ha e the t pe ri ta , 

hich has all “pri ta le” t pes as su t pes. o seque tl the i sta ce relatio 
et ee t pes a d t pe classes eco es the su t pe relatio et ee t pes. 




O jects + ie s = 



p e ts? 



6 



i all , a i sta ce declaratio i Haskell correspo ds to a su t pi g clause of 

a class declaratio . he a alog highlights a i porta t di ere ce et ee the 

approach of Haskell a d the o e of o ject-orie ted la guages: i the latter, a 
su t pi g clause is te tuall part of the e te di g class hereas i Haskell, a 
i sta ce declaratio ca e gi e a here. Haskell’s approach is adapta le, 
i that i sta ce declaratio s for a t pe ca e gi e after the t pe is defi ed. 

he o ject-orie ted approach is ot, si ce addi g e su t pe edges requires 

cha ges i the source code of the su t pe. 

a guages ith structural su t pi g do ot eed e plicit su t pi g clauses i 

class declaratio s. I stead, the su t pe relatio is deter i ed o 1 the struc- 
ture of the classes: lasses ith ore fields eco e su classes of classes ith 

fe er fields, as lo g as the t pes of co o fields are the sa e or sta d i tur 

i a su t pi g relatio . his gi es so e ore fie i ilit i the su class relatio . 
ut it still does ot sol e the adaptatio pro le si ce it does ot pro ide a 
a to aug e t a gi e class ith e fields. 

eei g these disparities it see s pro isi g to pro ide a co struct o the o ject- 

orie ted side hich atches ore closel the distri uted ature of i sta ce decla- 

ratio s. his CO struct is called a . ie adds e fields to alues of a 
e isti g t pe. or i sta ce, the folio i g ie declaratio ould add the ethod 

to tri g to all alues of t pe o . 

(t is o ) ri ta { 

to tri g tri g = t is. a .to tri g +-|- " ” -|--l- t is.tp.to tri g 

} 



ie takes the for of a u a ed fu ctio , hich takes a si gle para eter 

of so e t pe ad ields a o ject of t pe . he ie esta lishes a su t pe 

relatio ship et ee ad gi i g declaratio s of all fields of hich are 
ot et prese t i .11 fields of are i herited; i.e. the for i plicitl part of 

the result! g o ject. It is o 1 possi le to add e fields to a class ith a , 

ot to cha ge e isti g fields. 



u t p us s 

u t pe clauses ca e regarded as s tactic sugar for ie declaratio s ith 
e pt odies. or i sta ce, our pre ious class declaratio 

ss o < ri ta = { 

to tri g tri g = a -|— I- " " -|-+ tp.to tri g 

} 



ould e equi ale t to 
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ss o = { 

to tri g tri g = a ++ " " ++ tp.to tri g 

} 

(t is o ) ri ta = {} 

like a su t pi g clause, a ie declaratio ca e gi e a here i the 
progra ; it eed ot appear te tuall adjace t to the declaratio of the ie ’s 
para eter class. 



r s s 

esides ethods, ie s ca also defi e uta le aria les. Here is a e a pie: 

tp rarit} 

(s a . o ) r = { 

rarit 

} 



hese declaratio s, he placed i the code ge erator odule of a co piler, 
ould e equi ale t to the uta le fu ctio hich e ha e used i the a stract 
state achi e structuri g: 

r a r(s o ) I t 

he o 1 di ere ce co cer s selectio s ta - e use the o ject-orie ted ersio 
s .a r i stead of the pre ious a r(s ). 



psu t 

ore i teresti gl , e ca also ha e i for atio e capsulated i ie s. o sider 
for i sta ce a e capsulated a stractio for address fields, hich lets o 1 e e 
addresses e stored, his is acco plished as folio s. 

t p r = { 

St r ( I t) 0 
g t r I t 

} 

(s a . o ) r = { 

rarit 
St r ( I t) = 

( % == ) a r = 

s rror (" a a r ss”) 
g t r = a r 



} 
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his ie defi es a aria le a r alo g ith setter a d getter ethods. i ce the 
aria le is ot part of the ie ’s target t pe r, it is ot accessi le to die ts 
of the ie . 



t s 

o eti es, a para eteri ed t pe ca i pie e t a ie o 1 if so e co strai ts 
o the t pe para eters are satisfied, o sider for i sta ce structural equalit 
as i pie e ted the i terface 

t p q [a] = { 

q a s (ot r a) oo a 

} 

t pe supports structural equalit testi g if it i pie e ts the u ar q a s 
ethod hich takes other alues of t pe as para eters. I other ords, sup- 
ports structural equalit testi g if < q[ ]. O , CO sider the para eteri ed 
t pe of lists, ist[a]. hould lists support structural equalit testi g? learl , e 
ca CO pare lists structural! i e ca co pare the list ele e ts. his ca e 
e pressed the folio i g, t ie declaratio . 

[a < q [a]] (t is ist[a]) q [ ist [a]] = { 
q a s (t at ist [a]) = { 
t is. is pt t at. is pt II 
t is. is pt t at. o pt 

t is. a . q a s (t at. a ) t is.tai . q a s (t at.tai ) 

} 

} 

he [a < q [a]] co struct i troduces a t pe para eter a for the ie hich is 

ou ded q[a]. he t pe aria le ca he ce e i sta tiated to a t pe 

hich is a su t pe of the ou d q[ ]. ote that this gi es us a para eteri ed 
t pe hich has or lacks ethod q a s, depe di g o hether or ot the t pe of 

the listed ele e ts has the sa e ethod. 



t s 

he rest of this sectio discusses detailed desig a d i pie e tatio choices for 
ie s. he ost fu da e tal desig choice co cer s a e resolutio of fields 
defi ed ie s. uch resolutio ca e static, ased o co pile-ti e t pes or 
it ca e d a ic, ased o ru -ti e t pes. o see the di ere ce, co sider a 

aria t of our s ol ta le code, ssu e that e a t to further refi e the t pe 

of s ols i to aria le s ols a d fu ctio s ols: 




64 



. Odersk 



t p o = { 

... ( s as for ) ... 

} 



t p ar o < o = { ... } 

tp o< o={... } 

I the code ge erator, o e ight eed a fu ctio oa r hich retur s the 
i structio for loadi g a gi e s ol’s address, he result of this fu ctio 
ill depe d o the ki d of s ol e cou tered. It is therefore reaso a le to 
i pie e t oa r as a ethod of t pe o , to e o erridde i su t pes. 
ut as efore, e a t to keep the source code i ta u cha ged. gai as 
efore, e resort to ie s for i pie e ti g the e fu ctio alit i the code 
ge erator die t. I stead of a si gle ie e o eed three ie s, o e for each 

ki d of s ol: 

t p oa a = { 
oa o 

} 

(s o ) oa a = { 

oa r o = rror (” a 't oa " ) 

} 

(s ar o ) oa a = { 

oa r o = (s .a r) 

} 

(s o ) oa a = { 

oa r o = (s .a r) 



} 



a this ork? ssu e that the code ge erator calls the oa r ethod of 
as ol it retrie ed ( ia ook p) fro the s ol ta le. he static retur 
t pe of ook p is o . o if e perfor a e resolutio ased o the static 
t pe, the oa r ill al a s result i rror(" a 't oa ”). I a o ject-orie ted 
la guage such eha ior ould e cou ter-i tuiti e. e therefore pick d a ic 

a e resolutio , here the oa r ethod is chose accordi g to the ru -ti e 
t pe of the s ol retur ed fro ook p. If the retur ed s ol represe ts a 
aria le, e i oke the oa r ethod of the ie for ar o . If the s ol 
represe ts a fu ctio , e i oke the oa r ethod of the ie for o 

i stead. 1 if the retur ed s ol is either a aria le or a fu ctio , the 
oa r ethod of the ie for the ase class o is i oked. 

I the last e a pie the call to oa r as resol ed as if oa r as a regular 
ethod i o , hich as o erridde i ar o a d o . e ca 

i deed ofte ie a progra ith ie s as equi ale t to a progra ith ultiple 

i herita ce here all ie s are i li ed i their ase classes, ie ethods the 
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eco e regular ethods a d target t pes of ie s eco e ele e ts of su t pi g 
clauses, he correspo de ce ith ultiple i herita ce progra s ser es as a guide 
i the defi itio of the se a tics of ie sad the co te t-depe de t s ta rules 
go er i g the . 

he CO te t-depe de t s ta rules are ased o the co cept of the r 

he ie graph VG oi & project has as odes the set of t pes defi ed i all 
source files of the project a d as edges the set of ie s et ee t pes. u t pi g 
clauses are also i terpreted as ie edges, urther ore, e regard the ethods 

defi ed i a class as defi ed i a additio al ie hich goes fro a e ode 

represe ti g a class i pie e tatio to the proper class t pe itself. field hich 
occurs te tuall i a record t pe T is said to e T. field hich 

occurs te tuall i a ie is said to e t V. he su t pi g 

orderi g < o classes i duces a order! go ie s as folio s: ie fro S to 

T precedes a ie fro S' to T if S' < S' . e the require the folio i g: 

he ie graph ust e ac die. 

ie fro S to T a o 1 i pie e t fields hich are ot alread defi ed 
i S. 

he select! g a field / fro a e pressio e of t pe T, there ust e 

e actl o e t pe reacha le fro T i VG hich defi es /. 

et / e the ode represe ti g a class i pie e tatio a d let T e a t pe 

reacha le fro I i VG. he e er field / i T ust ha e a est i pie e - 

tatio for I. his ea s: irst, there ust e a ie o a path et ee I 

a d T hich i pie e ts /. eco d, a o g all the ie s o paths et ee I 

a d T hich i pie e t /, there ust e o e ie hich precedes all others 

accord! g to the i duced su t pi g orderi go ie s. his require e t cor- 
respo ds to the usual require e t for ultiple i herita ce that i herita ce 
of fields ust e u a iguous. 

It is orth oti g that so e of these rules are glo al i that the require k o - 

ledge of the co plete ie graph, o check such glo al require e ts i a s ste 

ith separate co pilatio , o e could dela so e t pe check! g u til li k ti e. 
s a alter ati e o e could also ai tai a project- ide repositor i hich 
all curre t ie declaratio s are ai tai ed. o siste c of the ie graph ca 
the e checked i ere e tall , as ie s are added a d deleted. 



el te rk 

he shortco i gs of the o ject-orie ted approach i the area of adapta ilit 
ha e ee k o for so e ti e. he ha egi e rise to a aried od of research. 

he ork o su ject-orie ted progra i g [9] ide tified the eed for ultiple, 

i depe de t roles pla ed a si gle o ject. spect-orie ted progra i g [ 7], 
h perspaces [27], a d adapt! e progra i g [2 ] all address this require e t 
ith s ste s hich act as source to source tra sfor atio s. he idea is i each 
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case that di ere t aspects of a progra are defi ed i separate source files hich 
are the erged usi g a “ ea er” tool, i ar co po e t adaptatio [ 6] pro i- 
des echa is s to perfor si ilar cha ges o a a class files, oth ea ers a d 
i ar CO po e t adaptatio are possi le approaches for i pie e ti g ie s. 
o pared to these approaches, ie s are ore restricti e i that the support 
o 1 strict e te sio s of e isti g classes. e ad a tage of this restrictio is that 
strict e te sio s co ute, so that the se a tics of the ea er tool eco es a 
o -issue. 

ulti- ethods [ ,4] are a other approach to e te d the li itatio s of pure 

0 ject-orie ted progra i g. Here, a ethod is o lo ger attached to a si gle 

class, a d ethod selectio takes the d a ic t pe of all ethod argu e ts 

1 to accou t. ike ie s, ulti- ethods ca e defi ed i depe de tl of their 

argu e t classes, ut ulti- ethods are ore ge eral tha ie s i that the 
a a do the co cept of a disti guished recei er argu e t a d i that the re- 
quire ultiple dispatch, pe o jects [ 9] are a idio of ulti- ethods hich 

is CO para le to ie s. 

ike ie s, Haskell’s t pe classes alio a distri uted defi itio of fu ctio alit 

0 er data t pes. ualificatio of t pe aria les i a qualified t pe correspo ds 

to - ou ded qualificatio of ie s [3]. u er of di ere t desig s for t pe 
classes ha e ee de eloped [ ,22, 2, 3, 4]. ur ie proposal is ost closel 
related to r tr t ss s [ ] , i that the ou d of a t pe aria le a a 

ha e additio al para eters other tha a itself. pe classes are usuall studied 

1 s ste s ithout su t pi g. here su t pi g is added [ ], a e resolutio 

is ased o static t pes, hereas ie s are ased o d a ic t pes. 

la guage co struct called “ ie ” has also ee proposed for fu ctio al pro- 
gra i g [2 ]. hese ie s ser e as alter ati e deco positio s of su t pes 
such as Haskell’s alge raic data t pes. co trast, the ie s prese ted here 
pro ide alter ati e accesses to product t pes such as records or o jects. oth 

desig s ha e i co o that a ie ca e defi ed i progra parts other tha 

the o e hich defi ed its ase t pe. 

6 cl s 

o o jects plus ie s equal co po e ts? his paper has argued that trul reus- 
a le CO po e t li raries require the a ilit to adapt co po e ts e te di g 
the ith e fu ctio alit , a d to co pose co po e ts ia first-class plugs. 

ject-orie ted progra i g a d a stract state achi es each pro ide o e of 

these t o ke s to successful co positio . he ie co struct ai s at pro idi g 

oth of these ke s. 

ork is curre tl u der a o a co plete desig a d i pie e tatio of ie s 
i the CO te t of u el, a i pie e tatio la guage for fu ctio al ets. 1 
future e perie ce ill tell hether the t o ke s are sufhcie t for the co structio 
of trul reusa le co po e t li raries. hat’s h the title of this paper still e ds 
i a questio ark. 
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Xasm— t si , p t- s 

str ct t t c i s gu g 

att ias laufF 

I , kul str. 7 
- 24 9 rlin, rman 
ma@f ir St . gmd . de 



r c . stract tat ac in ( ) [ 6] approac as al- 

r ad pro n to suita 1 for larg -seal sp cifications of r alistic s - 
st ms [ ,9,22,34]. u to t fact t at t approac d fin s a 

notion of uti g sp cifications, it pro id s a p rf ct asis for a langu- 
ag , ic can us d as a sp cification languag as 11 as a ig -1 1 

programming languag . Ho r, in ord r to upgrad to a r alistic pro- 
gramming languag , sue a languag must - sid s ot r f atur s - add 
a modular! ation cone pt to t cor constructs in ord r to pro- 

id t possi ilit to structur larg -seal -formal! ations and to 

fl xi 1 d fin r usa 1 sp cification units. In t is pap r, t languag 
Xasm, ic stands for t si I , is pr s nt d. Xasm r ali s a 

compon nt- as d modular! ation cone pt as d on t notion of xt r- 
nal functions as d fin d in s. is pap r also ri fl d scri s t 
support n ironm nt of Xasm consisting of t XASM-compil r transla- 
ting Xasm programs to sourc cod , and t grap ical d ugging and 
animation tool. 

I tr ucti 

bstract tat ac i approac as b a d is succ ssfull us d to mod 1 
a larg umb r of cas studi s i cludi g i dustr -r 1 a t o s. simplicit of 
t basic data a d cutio mod 1 of s mak s t m p rf ctl suitabl as t 
basis for a la guag t at o t o a d ca b us d as sp cificatio la guag 
adot otradasaig-1 1 programmi g la guag .1 t is pap r, 
t Xasm { t si ) la guag is pr s t d ic aims at pro idi g 

support for usi g s as a programmi g la guag for produci g ffid tad 

r usabl programs. r ists a umb r of ot r impl m tatio s ic 

all impl m t most of t co structs as d fi d i t ipari- uid [ 6]. 

il t r ali atio of t co structs ca b s as t cor fu ctio alit 

ic must b pr s t i ac support s st m, t diff r c of a 

s st m compar d to all ot rs ca b c aract ri d b 



form rl kno n as “ slan” ; t nam as n c ang d cans of a nam conflict 
it anot r tool. 

ur c a . ( ds.) pp. 6 - 

(c) pr g r- r ag r d rg 




7 



nlauff 



its fRci c , 

t fu ctio alit of its support iro m t, 

its rul abstractio co c pt, a d 

its i t rop rabilit it ot r la guag s a d s st ms. 

or ampl , all impl m tatio s - i cludi g Xasm- d fi som macro 

structur s o top of t cor la guag i ord r to pro id som ki d of rul 

abstractio co c pt. s additio al f atur s ar i disp sabl for ma agi g 
larg formali atio s. I t - orkb c [3], for i sta c , t a sp cial 

“ ul ” CO struct is i troduc d b i g us d to ass mbl sp cificatio s from 

small r pi c s. 

o c r i g t s f atur s, Xasm combi s t ad a tag s of usi g a formali 
dfidmtoditt f atur s of a full-seal , compo t-bas d programmi g 
la guag a d its support iro m t. 

pap r is orga i d as folio s: I ctio 2 a o r i of Xasm is gi 
ctio 3 i troduc s t compo t-bas d modul co c pt of Xasm, i ctio 4 

t t r al la guag i t rfac of Xasm is d scrib d. I ctio 6 t possibilit 

to sp cif t s ta of i put la guag s usi g co t t-fr grammar d fi itio s 

is pr s t d, ic is folio d b t d scriptio of o -sta dard la guag co - 
structs d fi d i Xasm i ctio 5. ctio 7 sk tc s t support iro m t 
of Xasm; ctio co tai s co cludi g r marks a d poi ts out futur ork. 

r i Xasm 

Xasm is a impl m tatio of s qu tial s focusi got g ratio of 
ffici t cutabl programs simulati g t ru of t sp cifi d • I g ral, 
t mai d sig goals of Xasm ca b gi as folio s: 

full support of t la guag as d fi d i t ipari- uid ; 

ffici t cutio of g rat d cutabl s; 
comfortabl a imatio add buggi g of sp cificatio s; 
compo t-bas d librar co c pt for ma agi g larg -seal sp cificatio s; 

t r al la guag i t rfac for i t grati g sp cificatio si ot r s - 

st ms. 

sc ario of buildi g -bas d programs usi g Xasm is d pict d i i- 
gur . Xasm sourc fil s ar tra slat d i to sourc b t XASM-compil r. 

dditio all , t us r ca it grat -sourc sad -librari s usi g t t r al 
la guag i t rfac . s d scrib d b lo , Xasm i troduc s a otio of compo- 
ts b i g stor d i a sp cial r positor . uri g t tra slatio proc ss, t 

XASM-compil r r tri s r gistr i formatio from t compo t i ord r to i - 

t grat pr -compil d XASM-compo ts i t curr t build proc ss. r suit 
of sue a build proc ss is a bi ar big it r a cutabl or a 1 m t of 
t compo t librar .1 it r cas , t bi ar co tai s t algorit ms 

sp cifi d i t Xasm sourc fil s. 

asicall , XASM-programs ar structur d usi g “ sm . . . sm” co - 

structs ac of ic co tai i g a list of local fu ctio a d u i rs d claratio s 
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. . uilding Xasm applications 



a d a list of ml s r pr s ti g a c rtai part of t o rail sp cificatio . 
I g ral, t structur of a Xasm- sm is s o i igur 2. m ta i for- 
matio part co tai s i formatio co c r i g t rol of t sm as a r usabl 
compo t; t is part is d scrib d i mor d tail b lo . 

s d fi d i t ipari- uid , t p s ar ot part of t cor la guag . 

Ho r, b cans t pi g as b pro to b r us ful to a oid ma ki ds 

of rrors, i XASM t p s ca b suppli d to t d claratio of a fu ctio a d 

ar us d to d t ct static s ma tics i co sist ci s of t formali atio . 

3 sic tructur Xasm r gr s: Xasm 

P t 

I ord r to pro id t full comfort of a mod r programmi g la guag , pur 

s lack a CO c pt of modular! atio ic is i disp sabl for structuri g 

larg -seal formali atio s. acros, ic ar ormall us d i t lit ra- 

tur to structur larg formali atio s, o 1 pro id limit d fu ctio alit 

it r sp ct to t ad a tag so p cts from a modul co c pt. Ho r, 
macros ar a good mas for “ -programmi g-i -t -small”, but t fail 
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A{a : T , . . . ,a : T ) ^ a : T 
(asm m ta information) 

(uni rs , function, and su asm d clarations) 
(initiali ation rul s) 

(asm rul s) 



g n ral structur of an Xasm- 



to pro id a basis for riti g formali atio s t at ca b r -us d i ot r 
formali atio s. 

r for , Xasm us s a mor po rful modulari atio co c pt ic is bas d 

0 t otio of a t as it is us d i compo t-bas d s st ms ( .g. [2 , 

3 ]). 

3. s s f sm”- structs 

s m tio d abo , a Xasm formali atio is structur d usi g “ sm. . . 
sm” u its. I ord r to plai t r latio s ips t at ca ist b t t s 
u its, ill first i troduc t possibl “us mod s” : sm ca b acc ss d 

b ot r sms i it r of t folio i g t o as: 

If a asm 7l us s i? as su - sm, it m a s t at i? - possibl tog t r 
it argum ts, if t arit of B > - is us d as a r i t bod of A. 

If t is rul fir s, t rul s of sm 
i? fir , ic ma r suit i upda- 

ti g locatio s of fu ctio s d cla- 

r d i A. sub-asm-us r latio 
b t sms ma co tai c cl s; 
la aluatio t c iqu s ar us d 
to a oid a i fi it umb r of ru- 

1 s. call as subasm is illustra- 
t d i t figur . sub-asm B 
a d its par t asm ^ st p simulta ousl ; formali t ca b s as o 
si gl 

sm A us s i? as a fu cti , if B is d fi d as t r fu cti i A. I 
t is cas , B - possibl tog t r it argum ts, if t arit of i? > - is us d as a 




— asm step ► call as subasm 
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t r it bod of A. cursio 
is alio d, so t at t fu ctio - 
us r latio b t sms ma 

CO tai c cl s. call as fu - 
ctio is illustrat d i t figur . 

uri g t ru of t fu ctio - 
asm _B, its par t^do s ’t mak 
a st p; from A’s poi t of i 
i?’s ru app s i ro tim . s 

d pict d i t figur , Bh a s lik a “ ormal” asm, t it ratio s s o r 

ar caus d b t st ps of t _B-asm its If. 

I ac of t abo cas s, call At r t s of B, if A us s B as 
sub-asm or as fu ctio . I a cas , t sm must b d clar d i t par t 

sm. s part of its m ta i formatio , a sm ca b mark d as a fu ctio or 

as a sub-asm, so t at it ca o 1 b us d b ot r sms i t sp cifi d a . 

or ampl , if B a d C ar sms d fi d as folio s 



t B ca o 1 b us d as fu ctio a d C as sub-asm i ot r sms. is 

is r fl ct d b corr spo di g d claratio s of B a d C: 



sm C(x : 


: Int) 


us 


s su sm 


is 




sm 





sm B{x : Int) - 


-> Int 


us s fu 


cti 


is 




sm 






B I I B I ... I B 



— *■ asm step *■ call as function 



sm A 
is 

su sm C{x : Int) 

t r fu cti B(x : Int) Int 

sm 



mp 

t pical situatio for usi g sub-asms is gi , t sp cificatio ca b 

split up aturall i to s ral sub-sp cificatio s ac of ic mod li g a c rtai 
asp ct of t o rail sp cificatio . 








74 



nlauff 



sm Robot is 


sm Robot _is standing 


u i rs M odeV alue = {standing , moving} 


us s su sm 


su sms Robot Js standing, 


is 


Robot Js -moving 




fu cti mode —>■ ModeValue 


mode := moving 


if mode = standing t 


sm 


Robot Js standing 


sm Robot As .moving 


s if mode = moving t 


us s su sm 


Robot -is -moving 


is 


if 


mode := standing 


sm 


sm 



I t is cas , t sp cificatio i troduc s t otio of a mod ic ca 
b us d to structur t formal! atio . I t ampl , it is assum d, t at t 

sub-asms updat t alu of t mod fu ctio to som alu . 



3. Xasm mp ts 

d claratio of sub-asms ad t r al fu ctio s t at r f r to ot r sms 
i t sp cificatio r quir s t at t ist c a d fu ctio alit of t s sms 
is k o at sp cificatio tim . is is comparabl to a static modul co c pt 

a d is us ful for d fi i g sub-parts of o sp cific formal! atio . I ord r to b 
“compo t-bas d” lik a ou c d abo , t modul co c pt must b ric d 

it som ot r f atur s alio i g a mor fl ibl a d comfortabl d fi itio of 
r usabl u its. 

or ampl , co sid r t folio i g sm t at ma b us d i t co t t 
of a programmi g la guag s ma tics sp cificatio . It c cks, t r a gi 
ariabl is d fi d i t curr t block, or i o of t par t blocks, 
i formatio t r a ariabl is d fi d i a c rtai block is stor d i t 
fu ctio DeclTable; t block structur is stor d i t fu ctio ParentBlock 
mappi g blocks to its corr spo di g par t blocks: 

t m aning of t r r rul is xplain d lat r 
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sm check jblockvar {block : Str,var : Str) — > Bool 

us s fu cti 

cc ss s fu cti s DeclTable{Block : Str,var : Str) 
ParentBlock{Block : Str) Str 

is 

fu cti current-block ^ block 
if DeclTable{currentJblock,var) ^ u ft 

r tur tru 

s 

current-block := ParentBlock{current-block); 
if current-block = u ft 

r tur f s 
if 
if 
sm 



ot , t at t s fu ctio orks corr cti it out r cursi 1 calli g its If; it 
it rat s u til o updat cagst itral stat of t asm. 

“ cc ss s” CO struct is us d to sp cif t fu ctio s t sm p cts 
from its par t sm. o , it t is additio al m ta i formatio , t sm ca 
b r gard d as a t, h caus its pro id s i formatio c ssar to b 

proc ss d as sta d-alo u it. sm ca b s parat 1 compil dad put i to 
t Xasm compo t librar ; ot r formali atio ca r us it pro id d t at t 
d clar t r quir d fu ctio s. 

sid s t “ cc ss s” CO struct, ic alio s to r t locatio s of t 

corr spo di g fu ctio s pro id d b t par t sm, t Xasm “up t s” 
CO struct marks t corr spo di g fu ctio as r adabl ritabl for t 

sub-asm or fu ctio .It pr ious ampl , t mode fu ctio must b 

mark d as “updat d” t to sub-asms, b caus it is updat d i t bod of 
ac of t m: 



sm Robot -is standing 




sm Robot -is -moving 


us s su sm i Robot 




us s su sm i Robot 


up t s fu cti 




up t s fu cti 


mode ModeValue 




mode — > ModeValue 


is 




is 


mode := moving 




mode := standing 


sm 




sm 



ik t acc ss d fu ctio s, t updat d fu ctio s must b d clar d i t 

par t sm. I ord r to a oid r p titio s i t sourc cod , t otatio 

“us s su sm i A” ca b us d as a abbr iatio of acc ssi g all fu - 

ctio s a d u i rs s d clar d i A c pt t os t at ar plicitl mark d as 
“updat d” b t sub-asm (a alogousl for asms t at ar us d as fu ctio s). 
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sid s fu ctio s, sub-asms ca also b co tai d i t “acc ss s”-list of a 

asm-compo t. acc ss d sub-asms ar us d i t rul s ctio of t asm 

as if t a b d clar d locall . 

3.3 ui f Xasm mp ts 

I ord r to pro id a ig d gr of fl ibilit i i t rco cti g XASM-com- 
po ts, it is possibl to d fi local d ri d fu ctio s usi g so-call d “ it ” 

d fi itio s. or ampl , a sm A a ts to us t check-blockvar as i troduc d 

abo , but A do s ’t d clar a fu ctio am d “DeclTable’^ as it is r quir d b 
t check Mockvar sm. Ho r, t DeclTable must b som o pr ssibl 

usi g isti g fu ctio s i H. “ it ”-stat m t ca b us d to pro id t 

call d sm it t c ssar fu ctio d claratio , as illustrat d i t folio i g 

ampl : 



sm A is 

fu cti currentmodule Sir 

fu cti SymT able (mod : Sir, block : Str,v : Sir) Int 

t r fu cti check J)lockvar{b : String, V : Sir) ^ Bool 

it DeclTable{b : Str,v : Str) == 
SymTable{currentmodule, b, v) 

sm 

I a similar a , acc ss d sub-asms ca b sp cifi d i t co t t of a “ it ” 

stat m t. 

si g Xasm compo ts tog t r it t is ki d of glui g m c a ism pro i- 

d s a po rful m a s to structur larg sp cificatio s usi g small r a d r usabl 

u its. 

3.4 f rm m tics f cc ss s” p t s” c r ti s 

s ma tics of t “acc ss s” a d “updat s” d claratio i sms dp ds o 
t r t sm is us d as a sub-asm or as a fu ctio . I t folio i g, t 

s ma tics of t s co structs i ac of t s cas s is plai d bri fl . 

cc ss up t fu cti si u - sms. If a sm H is us d i A 

as a sub-asm, t acc ss d a d updat d fu ctio si H ar dir cti li k d to t 
corr spo di g fu ctio si A. at m a s t at if i? updat s a fu ctio d clar d 

i A, t updat is isibl for bot A a, d B i t subs qu t st p. is ca 

b do i t is a , b caus H a d i? st p simulta ousl ; t rul s of i? ar 
r gard d as part of t rul s of A. imilarl , if B acc ss s a sub-asm C, t 
firi g C i B as t sam ff ct t a firi g C i A. 
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cc ss up t fu cti si t r u cti s. mor com- 

plicat d cas is gi a sm B b i g us d as a t r al fu ctio i A 

acc ss s a d updat s fu ctio s d clar d i u to t fact t at do s ’t 

mak a st p duri g t ru of B, rul s i B updati g d amic fu ctio s d cla- 
r d i A a,T actuall ot p rform d from B’s poi t of i . r for , i Xasm 

t s ma tics of updat d fu ctio si t r al asm fu ctio s is d fi d i a a , 

t at t s ki d of u i tuiti b a ior is a oid d: 

or ac fu ctio /big mark d as “updat d” a local fu ctio it t 
sam am is (i t r all ) d clar d i B] 

t is local fu ctio is i itiali d it t alu s of t origi al fu ctio i A; 

duri g t ru of t fu ctio s mark d as “updat d” ca b acc ss d lik 

a ot r local fu ctio i B] 

o t rmi atio of B t updat d locatio s of t s fu ctio ar propagat d 
to t origi al fu ctio d clar d i t par t sm A. 

is sur s, t at t s of a “updat s” fu ctio ar acc ssibl i B, a d 

t at o 1 t st t s ar for ard d to t par t A.l g ral, t updat s 
of fu ctio s d clar d i A a d updat d i B ar tr at d as b i g part of t 
updat s t of A’s curr t st p. s a co s qu c , multipl i ocatio s of B i 

t sam st p of do ot i flu c ac ot r. 

o sid r t folio i g - som at artificial - ampl : 




I ac st p of t ru of sm B t alu of t updat d fu ctio /( ) is 
updat d it a alu . s ma tics of t “updat s” d claratio i Xasm 
sur s t at updat s of / ar acc ssibl i i? a d t at o 1 t st updat of 
/ i B is propagat d to t par t sm A.l t is ampl , t updat /( ) := 2 
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is propagat d to A, il all ot r updat s occurri g i t “i t r al” st ps i 
B a o 1 local ff cts i 

3. cc ss s f t r u cti s 

I ord r to alio diff r t ki ds of acc ss s to t r al titi s, t r al fu ctio s 

ca b d clar d it r as “mo itor d” or as “output” fu ctio s. I t first cas , 

t t r al fu ctio ca b r ad, but ot ritt ( .g us r i put), i t s co d 
cas , t t r al fu ctio ca b ritt , but ot r ad ( .g. output c a Is 
lik stdout a d std rr). 

s a r strictio , a t r al fu ctio ca b it r a mo itor d r a output 

fu ctio , ot bot . If a fu ctio ould a bot mod s, r aso i g about t 

alu s of t at fu ctio ould r quir sp dal cas disti ctio s: If a locatio of 
sue a fu ctio is updat dio stpoft bmasofa updat rul , it 

ca ot b guara t d t at t locatio as t updat d alu it t st p, 

b caus t iro m t mig ta cagditit ma tim . 

I t folio i g ampl , t -ar fu ctio error is d fi d as a t r al 
fu ctio it “output” acc ss mod ; it is us d i t par t sm for displa i g 
a rror m ssag o “std rr” a d for s tti g a ok-flag to fals . 



sm A is 

r ti checkok 

t r [output] fu cti error Str 
it ok-flag == checkok 

error := ” 

sm 

sm error —>■ msg : Str 

us s fu cti 
up t s r ti ok-flag 
is 

us stdio 
stderr := msg 
ok-flag := false 

sm 

alu t at is us d for updati g t t r al fu ctio ca b acc ss d 
usi g t am d r suit param t r msg. us co struct i clud s pr -d fi d 

ad r fil s co tai i g fu ctio d claratio t at ar i t is cas us d to d clar 

t t r al fu ctio s stdout, stdin, a d stderr. 

in st p :/():= ; in st p 2: /( ) := 

t at m ans t at in t s cond st p t updat r := is p rform d in B, in t t ird 

st p r ;= 
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If o acc ss mod is sp cifi d i t d claratio of a t r al fu ctio , t 
mod “mo itor d” is assum d. 

3.6 c pi 

I t CO t t of us -r latio s b t sms, Xasm disti guis s b t t 

rfs adt r s : 

p r t- sm of a sm S is t sm r is d clar d ( it r as 
sub-asm or as t r al fu ctio ), il t c r- sm is t sm r 
t call actuall tak s plac . 



I t asi st cas , par tad call r ar t sam , as i t abo ampl : sm 

error is d clar d i ad call d b sm A. I t folio i g ampl , t is is ot 
t cas : 



sm A is 


sm error msg : Str 


r ti checkok 


us s fu cti 


t r [output] fu cti error Str 


up t s 


it ok-flag == checkok 


r ti ok-flag 


su sm B 


is 




us stdio 


B 


stderr := msg 




ok-flag := false 


sm 


sm 


sm B 




up t s fu cti error — > Str 




is 




error := ”...” 




sm 





H r , A is t par t-asm a d B t call r-asm of sm error, s a co s - 
qu c , t port d r latio ok-flag is tak from t par t-asm, rat r t a 
from t call r-asm. at m a s, t at t updat of error i i? as t co - 

s qu c t at t checkok r latio is updat d i A. is disti ctio as b 

mad , i ord r to compl t 1 abstract from t actual r ali atio of port d 

a d acc ss d fu ctio sad sub-asms. I t is cas , B do s ’t d to “k o ” 
t at error is a t r al fu ctio . 

scopi g rul for Xasm- sms is similar to static scopi g i programmi g 
la guag s a d ca b summari d as folio s: 

rt ss f ti s s s s f sm B r s t 

fr t sm r B s r it r s t r f ti r s 

s s . 
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3.7 tur i usrm tr u cti s 

s air ad fr qu tl us d i t ampl si t is docum t, t r tur co - 

struct is us d to sp cif t r tur alu of a mo itor d t r al fu ctio . I 

t rms of s, “r tur ” is r ali d as folio s: I ac sm B t at is us d as 

mo itor d fu ctio , a -ar d amic fu ctio Bjresult is d clar d a d i itiali- 

d it nojresult, a sp cific 1 m t of t sup ru i rs . t i? b t rul of 
i? as d fi d b t us r, t t i t r all us d rul r pr s ti g t bod of 

i? is gi b t folio i g CO ditio al: 



if Bjresult = nojresult t 
R 

if 

I ot r ords, updati g Bjresult it alu diff r t from t sp dal 
nojresult 1 m t dir ctl fore s t sm to t rmi at . otatio “r tur 

t” i a sm B is t simpl a abbr iatio for t updat “B_result := f ’ . 

4 Xasm tr gugitre 

I ord r to i t grat algorit ms i to ot r applicatio s, Xasm d fi s a 

t r al la guag i t rfac . I t curr t rsio , t is i t rfac is impl m t d 
for t CO ctio of Xasm programs it programs ritt i t la guag . 

I t rfac s to ot r la guag , lik a a, ar i pr paratio . 

I pri dpi , t r ar t o alt r ati s o t it rco ctio to t t r- 

al applicatio ca b r ali d: 

-fu ctio s ar us d to impl m t t r al fu ctio s, or 

Xasm- sms ar call d from t mai program. 

I t first cas , t mai co trol of t applicatio is a dl d b t XASM-part 

of t s st m, il i t s CO d cas t -applicatio as t mai co trol. 

is is also rflctdb t dfi itio of t “mai ” fu ctio : i t first cas 
it is CO tai d i t XASM-part, it s co d cas , t -part must pro id it. 

corr spo di g i t rfac s of Xasm for t s t o alt r ati s ar plai d 

i t folio i g. 

4. t r - u cti s 

I t pr ious s ctio a so , t at t r al fu ctio ca b sp cifi d 
i Xasm usi g t sm co struct. It r ati 1 , t r al fu ctio s ca b im- 

pl m t d i . corr spo di g XASM-d claratio is gi as folio s: 

t r " C : cjname" [access -mode] fu cti 
xasmjname{a : T , . . . ,a : T ) ^ T 

cjname sp cifi s t am of t fu ctio ; it ca b omitt d, if it is 
qual to t Xasm- am of t fu ctio . p di g o t acc ss mod of t 

XASM-fu ctio , t corr spo di g -fu ctio protot p s diff r slig tl : 
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If t acc ss mod is “mo itor d” , t -fu ctio s ar d fi d as folio s: 
ASMOBJ _ (ASM a, int argc, ASMOBJ* argv) ; 
r “ ” is t -t p r pr s ti g 1 m ts of t sup ru i rs ; 

“ ” is a -struct co tai i g i formatio r lat d to par t sm. s 

t p s ar sp cifi d i t ad r fil “ asm. ” ic must b i clud d i 

t os fil s CO tai i g t r al fu ctio impl m tatio s. argum ts of 
t fu ctio call ca b acc ss d ia t “arg ” fi Id usi g “argc” as argu- 
m t cou t. first argum t, arg [ ], al a s co tai s t am of t 
corr spo di g XASM-fu ctio as stri g 1 m t. r suit of t t r al 
fu ctio t at is acc ssibl i t calli g sm is r tur d b t -fu ctio 
as “ ” . 

If t acc ss mod is “output” , t -fu ctio s ar d fi d as folio s: 

void (ASM a, int argc, ASMOBJ* argv, ASMOBJ val) ; 

I t is cas , additio all t alu t at is us d i t updat r pr s ti g 
t call of t t r al fu ctio ca b acc ss d usi g t “ al” param t r. 

s a ampl , t folio i g -cod co tai s t impl m tatio of t 
“std rr” fu ctio pr iousl us d i o of t ampl s: 

void xasm_stderr (ASM a, int argc, ASMOBJ* argv, ASMOBJ val) { 
if (argc != 1) { 

errorC'wrong # args for external function ’°/oS’.\n", 
c_stringvalue (argv [0] ) ) ; 

return; 

} 

fprintf (stderr , "°/oS" , str_obj (val) ) ; 



XASM-librar fu ctio “str_obj” r tur s t stri g r pr s tatio of a 
corr spo di g d claratio of t t r al -fu ctio i a asm 
as t folio i g format: 



t r "C:xasm_stderr" [output] fu cti stderr String 



4. m i Xasm- r r ms i - pp ic ti s 

If t XASM-part of a s st ms ould pro id s r ic s for a -bas d applicatio , 
t mai sm a d all sub-asms of it ca b call d from t -cod .1 t is 

cas , t XASM-compil r must b i ok d it a sp cial optio t at pr ts 

t g ratio of t “mai ”-fu ctio . 

for a of t sms ca b i ok d, t XASM-part must b i itiali- 
d. or t is purpos , t g rat d -cod d fi s t fu ctio “asm_mai ” as 
folio s: 

int asm_main(int argc, char **argv) ; 
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argum ts to t is fu ctio ar gi as stri gs ic ar pars dad 

tra sform d to corr spo di g “ s”. actual i ocatio of t mai 

sm ca b mad usi g t -fu ctio “ru _mai asm”: 

ASMOBJ run_mainasm ( ) ; 

is ki d of mb ddi g is actuall us d i t impl m tatio of t Xasm- 

compil r its If: t static s ma tics c ck is carri d out b a algorit m sp cifi d 

i Xasm. 

umb r of t r al -fu ctio s ar air ad i t grat d i to t ru tim 
s st m. or ampl , t r al fu ctio s to commu icat usi g I - ock ts, 

stri g ma ipulatio fu ctio s, fil acc ss fu ctio s tc. . 

-st r gu g structs Xasm 

sid s t impl m tatio of t cor co structs, Xasm pro id s a um- 

b r of us ful t sio s t at ca all b dir ctl mapp d to t origi al 

CO structs. I t folio i g, som of t s t sio s ar d scrib d bri fl ; a 

full rsio of t la guag sp cificatio is i pr paratio ad ill b a ailabl 
s ortl . 



struct r rms 

Xasm pro id s t possibilit to d fi a d us str t r t r s. co c pt 
of CO structor t rms ca b mapp d to t cor la guag as folio s: c- 

cordi g to [ 7] ac of t fu ctio am s co tai d i t ocabular y of a 

ma b mark d as r ti or st ti , or bot . I additio , alio static 

fu ctio s to b mark d as str ti . t F b t s t co tai i g all fu ctio s 
i V mark d as co structi , F C V. t f G F , arit of / = n, t t 

folio i g CO ditio s old for all stat s A of t : 

(i) Vt , . . . , t , al {t ) ^ u f , <i<nu 

/ (t ) 7 ^ u f 

(ii) yg G F , arit of (/ is m; t . ,t , al {t ) ^ u f • 

f {t ,...,t ) = g {s ,...,s 
/ = g An = m 

A al {t ) = al {s ), <i<n 

r al (t) sta ds for t aluatio of t rm t i stat A of t .1 for- 

mall sp aki g t at m a s t at ac co structi fu ctio is (i) d fi d at all 

locatio s a d t at (ii) t co t t of ac locatio is a u iqu 1 m t of t 

sup ru i rs .r.t. t s t of locatio s of all co structi fu ctio s. If / & F , 
t /is call da str t r, a d t t rms f {t ,■■■ ,t ) ar call d str 
t r t r s. I Xasm, t d claratio of a co structor is part of t fu ctio 
d claratio s, for ampl 



c struct r nil, cons{-, _) 

u i rs BinTree = {empty, children{l : BinTree,r : BinTree)} 
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i troduc s t co structors nil, cons, empty, a d children, r t rms co - 
struct d usi gt latt rt o co structors ar 1 m ts of t u i rs BinTree. 

Xasm also pro id s patt r mate i g fu ctio alit lik it is us d i ma 
ot r la guag s. tacticall , patt r mate i g t rms ar us d as co ditio 
t rms i CO ditio als, . g.: 



if b =~ children{8zl, Szr) t 
R{kl,kr) 

s 

if 



r ar t r ki ds of pr -d fi d, commo 1 -us d co structors i Xasm: 
s ts, s qu c s, a d tupl s. s co structors ar sp cifi d usi g t ir usual 
r pr s tatio : {x , . . . ,x } for s ts, [x ,... ,x ] for s qu c , a d (x , . . . , a: ) 
for -tupl s. or s qu c s, t otatio [H\T] ca b us d i patt r mate i g 

t rms for acc ssi g ad a d tail of a s qu c . 



u r pr ssi s 

I practic , stri gs ar id 1 us d as a commo data format for c a gi g 
i formatio b t diff r t s st ms. Xasm t r for pro id s a sp cial ki d 
of patt r mate i g bas dory r r ssi s as t ar us d i I ( .g. 

i t “s d” program) as 11 as i ma script! g la guag s lik rl [33] add 
[26] . r gular pr ssio patt r mate i g is i ok d usi g t =~ op rator 
lik for patt r mate i g it co structor t rms. If bot op ra ds of t =~ 
op rator ar stri gs, t t rig t op ra d is i t rpr t d as r gular pr ssio 
a d t 1 ft op ra d as stri g b i g mate agai st t r gular pr ssio . or 

ampl , t r gular pr ssio patt r mate i g pr ssio 



s - [A-Z] > 

aluat s to tru , if s is a stri g start! g it a capital 1 tt r. 

I r gular pr ssio s, par t sis “\(..\)” ca b us d to mark c rtai parts 

of t pr ssio t at corr spo d to sub-stri gs of t 1 ft- a d-sid stri g, if t 

patt r mate i g as b succ ssful. or t at, asm pro id a sp cial form of 

r gular pr ssio patt r mate i g: If t 1 ft- a d-t rm of a patt r mate i g 

pr ssio aluat s to a stri g obj ct s a d t rig t- a d-t rm aluat s to a 

tupl t first argum t of ic r pr s ts a stri g obj ct r a d t r mai i g 

argum ts ar patt r mate i g ariabl s hv , ■ ■ ■ , Szv , t stri g s is mate d 

agai st t r gular pr ssio r a d t sub-mate s ar put i to t patt r 

mate i g ariabl s , . . . , Szv , if t mate as b succ ssful. 



Xasm us s a sp cial s ntax for patt rn mate ing aria 1 s and qualit s m ol 
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if "AnyString" =~ ( ’ \ , thd, ktl) t 

if 

I t is ampl , t r gular pr ssio co tai s t o sub-mate s, t first o 
mate st stri g "A", t s eo d o t stri g "nyString".® submate s 

ea b aee ss d i t t -part of t eo ditio al rul s as alu s of t patt r 

mate i g ariabl s a d 

.3 c u 

eommo situatio oeeurri g i formali atio s is t at e rtai rul s s ould 

fir o 1 o e duri g t ru of a . ormall , o as to i trodue tra 

fu etio s i ord r to sur t is b a ior. Xasm i trodue s a “o e ” rul for 
t s situatio s: 
if c R 
s R 
if 

ie is - i t rms of s - qui al t to t eo ditio al rul 
if once{n) t 
R 

once{n) := false 

s 

R 

if 

r n is a u iqu umb r r pr s ti g t n’t oeeurr e of a “o e ”-rul 

it , a d once is a o -ar d amie r latio i itiali d it tru for all 

t s umb rs n. otatio “ c i?” is a abbr iatio for 

if c R s skip if 

6 r r iti s i Xasm 

Historieall , Xasm as b d lop d as u d rl i g impl m tatio for 

t g s, a, s mi- isual m t od for sp eif i g t s ta a d s ma ties of pro- 

grammi g la guag s, s [2 ,2,3]. s a eo s qu e , t support for program- 
mi g la guag r lat d f atur s as b it grat d i to t Xasm la guag as a 
m a s to t d t origi al s ta it domai -sp eifie eo struets. s ta 

ads ma ties of t s t sio s ea b sp eifi d usi g t o tag s m t od 

tog t r it tool support iro m t m- ie tra slat s us r-d fi d 

la guag d fi itio s i to XASM-eod . 

ingl quot s ar us d for t r gular xpr ssions in ord r to pr nt int rpr tation 
of sp cial s m ols (lik “\”) in t string, o und rstand t xampl : ~ stands for 
t ginning, $ for t nd of a string, t dot r pr s nts an c aract r, and t 
ast risk stand for ro or mor occurr nc s of t pr c ding xpr ssion. 
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grammar d fi itio s us d for t tra slatio of o tag s-sp cificatio 

ca also b us d dir ctl i Xasm. or t at purpos , t rm a d t k 
d claratio s ca b gi i Xasm, r sulti git g ratio of a pars r for 
t sp cifi d la guag . s a ampl for usi g grammar d fi itio s i Xasm, 
igur 3 CO tai s t sp cificatio of a pars r t at acc pts mpt tags, 

g rat d -fu ctio ca b acc ss d usi g a t r al fu ctio r tur i g 
t root od of t pars tr b i g co struct d duri g parsi g. 



xmlparser{inpfile) 

syntax 

I dent = " [A-Za-z] [A-Za-z0-9_] *" 

r r Elements 

r Elements[Element] 

/* empty */ 
c Elements Element 

r 

r Element = ElementEmpty r 

r ElementEmpty ::= "<”Ident Attributes'" / >”; 

r 

r Attributes[Attribute]\ 

/* empty */ 

c Attributes Attribute 

r 

r Attribute ::= I dent" =" String _token\ 

Ihs ^ (Ident.Name, String Aoken. Name) 

r 

r "C" f c parse-Elements{filename : String) Elements 
f c RootNode Elements 
RootNode ;= parse-Elements(inpfile)\ 



. 3. grammar sp cification in Xasm for parsing mpt 1 m nts 



7 Xasm upp rt ir t 

support iro m t of Xasm co sists of t XASM-compil r, t ru tim 

s st m a d t grap ical d buggi g a d a imatio i t rfac . I t is pap r, t s 
tools ar o 1 sk tc d bri fl , a mor d tail d d scriptio ill b co tai d i 

t Xasm us r ma ual ic is curr tl u d r d lopm t. d scriptio of 

t grap ical a imatio tool is also co tai d i [2,3]. 
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7. Xasm- mpi r u tim st m 

s air ad m tio d i ctio 2, t XASM-compil r xasmc tra slat s Xasm 
sourc cod i to -cod impl m ti g t cutabl rsio oft s sp ci- 

fi d i t Xasm sourc fil s. s ta a al sis part is impl m t d i usi g 
“1 ” a d “ acc” for g rati g sea rad pars r cod . t p c cki g part 

is impl m t d i Xasm its If usi g t -it rfac as i troduc d abo . 

Xasm ru tim s st m impl m ts t cor fu ctio alit of t Xasm 

la guag .1 r , all algorit ms a d data structur s ar r ali d b i g us d 
to tra sform a i to a cutabl program, t t art of t ru - 

tim s st m is t impl m tatio of updat a d acc ss fu ctio alit for 
fu ctio s. or t at, a as i g m c a ism is us d to pro id optimi d acc ss 
to alu s of fu ctio s. ru tim s st m also co tai s garbag coll c- 
tio faciliti s, ic is i disp sabl , if algorit ms ar us d for co ti uous 

CO trol s st ms, as d scrib d i [5]. 

7. Xasm r p ic im ti u i t rf c 

I ord r to b abl to a imat a d/or d bug t Xasm program, a grap ical 

a imatio add buggi g tool as b r ali d t at abl s to st p is 1 

cut t , to trac updat s t at as b p rform d i ac st p, a d to 

i fu ctio alu si ac st p. I cas a grammar as b sp cifi d as i put 
format for t Xasm program, a sp cial ki d of grap ical a imatio i do ca 
b us d to displa fu ctio alu s t at r f r to od i t pars tr . igur 
4 s o s a scr -dump of a d buggi g s ssio . dditio all , a it grat d d - 

sig iro m t, i corporati g t grap ical us r i t rfac is curr tl u d r 

d lopm t. 

7.3 Xasm- ck 

s a additio al support f atur , a -packag “asm.st ” is d fi d for 

t p s tti g Xasm sp cificatio s. -fil s ca dir ctl b us d as i put 

fil to t XASM-compil r, so t at o additio al ork is c ssar to produc a 
ig -qualit docum tatio from a ru i g Xasm sp cificatio . Xasm cod 
parts i t is docum t ar produc d usi g t asm st 1 b i g r ali d bas d o 
t “program” st 1 as d fi d i [4]. 

c usi 

I t is pap r, t bas d la guag Xasm as b pr s t d focusi g o 

t additio al f atur s pro id d b t la guag it r sp ct to t cor 

CO c pts as d fi d i t ipari uid . o 1 co c pt for structuri g 
sp cificatio s bas do t otio of compo ts as b pr s t d. is co - 
c pt p rf ctl fits i to t basic mod 1 of t approac , b caus it alio s 

to c oos t 1 1 of abstractio for d scribi g t at fits b st to a gi pro- 

bl m it out r gardi g t c ical co strai ts. urt rmor , t is co c pt alio s 
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updatA. 



aavA. 

ClOK«. 



fmtkm: CMikui 
arily: 1 
Wnd: dyiMi*; 
in asm: /MAIN 
I sna(>sfto( altar stap am 



Child! •n<fa631) 
children' 
Childran 



childrtm((at;oi) • |«£Oj 
- * • {i»2S7n . • " 









Childr*n<ai&&) > [ai4C.«149.«lSS] 
childrmdalOOj) • (alOO) 
Childian(#290) • (#37$, |^M|| 
Childrttfi(«ir.4) . [«140, 
Childi«n(a293) • |a272.r200| 

_ Childx«R(4i6Z) - [ai34.aiS9| 

1} diiUrm(|*74]) • («74] 



run. 

stop. 



J 



oontlnno. 
niov motion. 



braalf 

cdndit 



hida updataf 



CN Pat 
DufaullAt 
hPPEND(C( 

dwfaull, 

IiiUial 

IiiltialSt 

Tartninal 

Twrninall 



duUi visuoUzatiiin 

/MAIN 



ta graph | 



stap. 
iXattinua. 
slC'W notion. 



t211 ducl-f74 
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TokonUnlvorso 

Varldont 

doGl 




vur o: inloyvr; 

procadura Pactorlal( 
var n: intagar; 
bag In 

11 n > 0 than 

n PuctorluM 
print (n) 
print (n) 
ratum (n * a) 

alsa 

raturn 1 
und 
and; 
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. . naps ot of a XASM-d ugg r s ssion 



ffid t d lopm t c cl s, b cans asm’s ca b d sig d as r usabl compo- 

ts b actl sp cif i g at is p ct d from t iro m t. alg braic 
i of a similar structuri g co c pt as b gi b olfga g a i [25]. 

H tri s to formal! t otio of “ i rare ical s” ic is us d i arl 
pap rs of ur ic a d org r. at r i [ ] sp cial cas s of t a ’s co c pts 

ar propos d for compositio . s cas s as 11 as a ’s g ral otio 
of “ i rare ical s” tog t r it m a s for data capsulatio ar dir ctl 
support d b Xasm. 

la guag pr s t d i t is pap r is full impl m t d. s st m is 

us d as t basis for t o tag s/ m- , r g rat d Xasm cod is 

tra slat d i to a it rpr t r for t la guag sp cifi d usi g o tag s. s a 
cas stud t full sp cificatio of I as b t r d b u i [ 9] . 

t r cas studi s ar curr tl u d r d lopm t, s for ampl a applica- 
tio to microproc ssor simulatio i [32] a d t applicatio of Xasm as glui g 
cod i 1 gac s st ms [4]. 

s t st ps, t Xasm compil r, ru tim s st m a d grap ical support 
iro m t ill b furt r optimi d. Iso, a co c pt o tools for t (auto- 
matic) rificatio , mod 1 c cki g a da al sis of t formal! atio s ca 

b i t grat d i to t s st m is curr tl u d r d lopm tad ill b part of 

t support s st m i futur rsio s of t tool, urt rmor , t co ctio 
to r positor s st ms ill b subj ct to futur co sid ratio s co c r i g t 
XASM-la guag . or ampl , c rtai fu ctio s ma b mark d as “p r- 

sist t”, m a i g t at t alu s of t locatio s of t s fu ctio s ar stor d 
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i t r positor s st m, so t at t ca b acc ss t t tim t Xasm 
is cut d. is ki d of t sio is curr tl part of ork carri d out i a 
i dustr -bas d r s arc proj ct ru i g at I t is proj ct, it is curr tl 

CO sid r d to us Xasm for formulati g c rtai co sist c c ck algorit ms 
occurri g i t co t t of t is proj ct. 

dditio al applicatio s outsid t ar a ar possibl , si c s ca 

b CO sid r d as a i sta c of so call d tr siti s s st s, ic form 

as 11 t basis for ot r popular formalisms sue as I Y [ ], [23], 

[24] a d t i t rm diat la guag [29] . s m tio d i ctio 6 t 

Xasm s st m is i t grat d it t o tag s m t od so t at or alt r ati 
CO structs ca b asil support d b Xasm. si g o tag s, bot s ta a d 

s ma tics of or alt r ati Xasm co structs ca b d lop d i a i t - 

grat d d lopm t iro m t call dm- . uc a t sibl s st m 

arc it ctur alio s t Xasm tool to b tailor d to o of t abo -m tio d 
formalisms bas d o tra sitio s st ms. 

adapt d rsio of Xasm ould b sp ciall us ful i a co t t lik 
t arc it ctur [7], r arious ot r tools ar i t grat d for tasks lik 

t or m pro i g a d mod 1 c cki g. d lopm t c cl support d b t 

tools i t grat d it could b t d d it a tool lik Xasm for d buggi g 

a d a imatio of t tra sitio s st m u d r co sid ratio . ft r t d lop r 
gai s CO fid c i is sp cificatio b d buggi g a d a imati g t m it 
Xasm, ot r tools ca b us d to furt r a al t sp cificatio . s a r suit of 

t furt r a al sis, t origi al sp cificatio t picall u d rgo s major c a g s. 

o a oid simpl rrors i troduc dbt scags,t sp cificatio ca agai 
b d bugg d a d a imat d usi g Xasm b for it is pass d to t ot r tools. 

pla to adapt Xasm to arc it ctur s lik i ord r to mak it ac- 

c ssibl to a larg bas of us rs. ca t us adapt t o tag s m t od to 
formalisms lik b pro idi g a la guag s ma tics it . sp cific 

la guag ma t b d lop d so t at t s ma tics of programs ritt 

i t at la guag ca b asil a al d usi g t a ailabl tools. co cr t 
s ta of sue a la guag ca b adapt d to t t rmi olog of domai p rts 
usi g t la guag to d scrib t ir s st m. ampl s of usi g o tag s to 
d lop la guag s for sp dal domai s ar gi i [2 , ,4]. 

ck m ts. I r muc t a k ilipp . Kutt rad Ifo so i ra - 

to io for t ir collaboratio a d fruitful discussio s ic ad a gr at i fiu c 

it d sig a d impl m tatio of Xasm. I also lik to t a k Yuri ur ic 

ad go org r for t ir i t r st i m ork pr s t d i t is pap rad for 

al a s Ipi g m sol i g t rig t probl ms. d ar st sp cial t a ks go to 

suma ii bill. H r ork it fi Id of compo t-bas d soft ar gi ri g 

as r muc i fiu c d t compo t mod 1 pr s t d i t is pap r. 




Xasm- xt nsi 1 , ompon nt- as d 



s 



9 



r c s 

nlauff, . mporad, . akra ort , . . utt r, . ignon , . orari, 

i rantonio, and . i 1 . rom as in programming to as maint nanc : 

xt nding usa ilit it ontag s. c nical port 4, Institut I , H 

Ziiric , c m r 9999. 

2. . nlauff, . utt r, and . i rantonio. ormal sp cts of and lopm nt 
n ironm nts for ontag s. In . llink, ditor, d I t r ti I rksh 

th hr d r ti f Ig r i ifi ti s, orks ops in omputing, 
mst rdam, 997. pring r. 

3. . nlauff, . utt r, and . i rantonio. n anc d control flo grap s in onta- 

g s. In .Zamulin . jo rn r, . ro , ditor, rs ti f st m I f rm ti s, 

olum 755 of , pag s 4 - 53, 999. 

4. . nlauff, . . utt r, . i rantonio, and suman iin iil. sing domain- 

sp cific languag s for t r ali ation of compon nt composition. In r di gs 

rm I r h s i ft r gi ri g , , 2 . 

5. . nlauff and . fin ill. n sp cification of an 1 ator control s st m. 

999. 

6. . nlauff and . fin iil. oft ar arc it ctur as d composition of compon nts. 

In I- rksh i h rh it u d u rV'ssigk it s ft r - si rt r st m , 999. 

7. . nsal m, . an s , Y. ak n c , . uno , . O r , H. u fi, . us , 

usu, H. aidi, . ankar, . ing rman, and . i ari. n o r i of 

In . ic a 1 Hollo a , ditor, ; ifth gl rm I th ds 

rksh , un 2 .to app ar. 

rgstra and . lint. ool us coordination arc it ctur . In iancarini 

and Hankin [ 2], pag s 75- . 

9. . org r and . os n ig. at matical fruition of ull rolog. In i 

f m ut r r gr mmi g, olum 24, pag s 249-2 6. ort -Holland, 994. 

org r and . c mid. omposition and u mac in one pts for qu ntial 

s. In . lot and H. c ic t n rg, ditor, ur i h sts hrift , 

. pring r- rlag, 2 . to pp ar. 

and and . isra. r U I r gr m sig : u d ti . ddison- si , 

ading, , 9 . 

2. aolo iancarini and ris Hankin, ditors. rdi ti d m d Is, r di gs 

f th first i t r ti I f r , s , It I , num r 6 in . pring r 

rlag, 996. 

3. . 1 astillo. ork nc : an Op n and xt nsi 1 ool n ironm nt 

for stract tat ac in s. In r di gs f th th u I f r f th 

rm it f m ut r i . c nical port, agd urg ni rsit , 

99 . 

4. ic 1 ooss ns, rank itt 1 ac , and 1 xand r amarin. h m - 

i . ools and c niqu s for omput r p s tting. ddison- si , ading, 

, , s cond dition, 994. 

5. . riff 1. m t r . dpunkt. rlag, 99 . 

6. Y. ur ic . ol ing Ig ras 993: ipari uid . In . org r, ditor, ifi- 

ti d lid ti th ds, pag s 9-36. Oxford ni rsit r ss, 995. 

7. Y. ur ic . a 997 raft of t uid . partm nt c nical port 

-336-97, ni rsit of ic igan, 997. 

. Y. ur ic and . Huggins. mantics of t rogramming anguag . In 

org r, H. 1 in fining, . ag r, . artini, and . . ic t r, ditors, 

m ut r i gi , olum 7 2 of , pag s 274-3 9. pring r, 993. 




9 



nlauff 



9. . . Huggins and . n. static and d namic s mantics of . In I 

r di gs f , I port r. 7, 2 

2 . . . utt r, . c i r, and . i 1 . Int grating formal domain-sp cific 

languag d sign in t soft ar lif c cl . In urr t r ds i li d rm I 

th ds, . pring r, Octo r 99 . 

2 . . . utt r and . i rantonio. ontag s: p cifications of alistic rogram- 

ming anguag s. ur I f i rs I m ut r i , 3(5):4 6-442, 997. 

22. . . utt r and . i rantonio. ormal p cification of O ron. ur I f 

i rs I m ut r i , 3(5):443-5 3, 997. 

23. . amport. t mporal logic of actions. , 6(3): 72-923, 994. 

24. Z. anna and . nu li. m r I gi f ti d urr t st ms, 

lum : ifi ti . pring r- rlag, York, Y, 992. 

25. . a . p cif ing compl x and structur d s st ms it ol ing alg ras. In 

. idoit and . auc t, ditors, r di gs f ’9 : h r d r - 

ti f ft r I m t, num r 2 4 in , pag s 535 -549, 997. 

26. o n . Oust r out. cripting: Hig r 1 I programming for t 2 st c ntur . 

/ m ut r, 3 (3):23-3 , arc 99 . 

27. .- . c n id r and O. i rstras . cripting: Hig r-1 1 programming for 

compon nt- as d s st ms. In 99 , 99 . utorial. 

2 . an- u c n id r and Oscar i rstras . ompon nts, scripts and gin . In onor 

arroca, on Hall, and atrick Hall, ditors, ft r r hit tur s - d s d 

li ti s, pag s 3-25. pring r, 999. 

29. . ankar. m olic nal sis of ransition st ms. In his lum . 

3 . suman iin iil. r hit tur I sig f luti r ft r st ms. 

t sis, c nical ni rsit rlin, 999. in pr paration. 

3 . 1 m ns p rski. m t ft r : d j t- ri t d r gr mmi g. 

r ss and ddison- si , York, .Y., 99 . 

32. . ic , . . utt r, and . p r. scription and simulation of microproc ssor 

instruction s ts using asms. In his lum . 

33. arr all and andal . c art . r gr mmi g rl. O’ ill ssociat s, Inc., 

astopol, , 99 . 

34. . allac . mantics of t a a rogramming anguag : r liminar r- 

sion. c nical port - -355-97, pt., ni rsit of ic igan, 

cm r 997. 




ric cili isi c-ri d s* 



. Za ulin 

Institut of Infer atics st s 
ib rian ranc of t ussian cad of ci nc s 
63 9 , ovosibirsk, ussia 

- ail: a @iis. nsk.su 
fa : +7 3832 323494 
p on : +7 3832 396258 



str t. aciliti s for d fining g n ric obj ct t p s, g n ric t p ca- 

t gori s, g n ric fnnetions and g n ric proc dnr s in an obj ct-ori nt d 

ar d scrib d in t pap r. s faciliti s p r it on to sp cif 
algorit s ov r CO pi data strnctur s abstracting bot fro t t p 

of t structur co pon nts and t strnctur its If. us of t fa- 

ciliti s is d onstrat d b t sp cifications of so i portant parts of 
tandard plat ibrar for -|— 1-. 



r s: , obj ct t p s, obj ct cat gori s, g n ric sp cifications. 

r d c i 

bj ct-ori nt d s as a ariant of traditional s [ ,2] ar for all in- 
troduc d in [3] . p r it t sp cification of a d na ic s st in t r s of 

utabl and constant obj cts b longing to diff r nt obj ct t p s. bj ct t p s 

ar partiall ord r d according to a t p -subt p r lations ip ic s r s for 
od ling in ritanc . nfortunat 1 , t t c niqu d scrib d in t pap r do s 

not pro id faciliti s for t sp cification of g n ric obj ct t p s and g n ric 

algorit s. t t sa ti , sue faciliti s ar ig 1 n d d if on is s to 

rit r usabl sp cifications. 

sat pical a pi , 1 t us consid r t probl of t sp cification of 
tandard plat ibrar ( ) for -|--l- [4] ic ill b us d in t pap r 

as a running a pi . urr ntl t s antics of t librar co pon nts is 

gi n infor all as a s t of r quir nts pr s nt d parti in nglis and parti 

as -I-+ progra frag nts. s a r suit, t s antics r ains inco pi t and 

i pr cis , d p nding a il on r ad r’s (and librar i pi ntor’s) intuition 

and kno 1 dg of H — h. r for , a for al d scription of ind p nd nt of 

a particular progra ing languag is ig 1 n d d. 

is bas d on t notion of ta r ic is a data structur consisting 
of a nu b r of 1 nts of t sa t p . ral contain r class s ar d fin d 

* is r s arc is support d in part b ussian oundation for asic s arc und r 
rant 98- - 682. 

ur c a . ( ds.) pp. - 

pr g r- r ag r d rg 
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in : ctors, lists, d qu s, s ts, ultis ts, aps, and ulti aps. t r con- 

tain r class s can b d fin d if n d d. ac contain r class is para t ri d b 
t CO pon nt t p . us, for ac data structur on can rit an algorit 
abstracting fro t co pon nt t p . is pro id s t first 1 1 of g n ricit 

t pical of -I— 1-. 

o abstract fro t contain r’s structur , introduc s a notion of t 
rat r ic is a g n rali ation of t point r notion. It rators ar group d into 
diff r nt it rator cat gori s pro iding abstract data-acc ss t ods. r ar 
cat gori s of input it rators, output it rators, for ard it rators, bidir ctional it - 
rators, and rando -acc ss it rators. It rator cat gori s build a i rare . is 
ans t at a for ard it rator is also an input it rator and an output it rator, a 
bidir ctional it rator is also a for ard it rator, and a rando -acc ss it rator is 
also a bidir ctional it rator. Igorit s can no b ritt n in t r s of it rators 
abstracting fro a concr t data structur . ost i portant r is t fact t at 
an algorit r quiring, sa , an input it rator can also us a for ard or bidir c- 
tional or rando -acc ss it rator. is pro id s t s cond 1 1 of g n ricit . 

n of t a s of t for al d finition is t us of classical alg - 
braic sp cifications os ad antag s ar sound at atical foundation and 
ist nc of sp cification languag s and tools, aking into account t g n ric 
natur of t data structur s and it rator cat gori s, a sp cification languag 
lik p ctru [ ] pro iding para t ri d sorts and sort class s can b us d for 
t is purpos . Ho r, t notions of it rator and contain r subsu a notion of 
stat ic can c ang n contain rs ar s arc d or updat d. od ling 

of t stat b classical alg braic sp cifications in ol s tra data structur s 

r pr s nting t stat ic ust b plicitl pass d to a function as argu nt 

and i Id d as r suit. Ig braic sp cifications ar also a poor tool for d scribing a 
data structur it an arbitrar ord r of co pon nt ins rtion and d 1 tion. is 

1 ads to r co pi sp cifications it probl s of d scribing t diff r nc s 
b t n diff r nt t p s of contain rs. 

t t sa ti it s s r natural to consid r contain rs and it rators 
as obj cts poss ssing stat and to d fin contain r class s and it rator class s as 
g n ric obj ct t p s para t ri d b t co pon nt t p . o d fin for all 
it rator cat gori s and t us r pr s nt t i rare of it rator class s, n d 
a notion of t at r si ilar to t at of sort class s of p ctru and a notion 

of r t at r abs nt in con ntional alg braic sp cifications. us, 

t adaptation and t nsion of g n ric faciliti s of alg braic sp cifications for 

n ancing obj ct-ori nt d s ar t ain tasks of t is pap r. 

pap r is organi d in t folio ing a . oner t obj ct t p s d fining 

s ts of stat s of pot ntiall utabl obj cts and obj ct-ori nt d d na ic s st s 

g n rali ing t co uniti s of obj ct stat s and t ir transitions ar introdu- 
c d in ction 2. nconstrain d g n ric obj ct t p s ar d fin d in ction 3. 

n ric ctor t p and g n ric list t p as t pical r pr s ntati s of tandard 

plat ibrar ar sp cifi d in ction 4 and ction , r sp cti 1 . bj ct 

t p cat gori s p r itting t classification of obj ct t p s on t bas of t ir 

op rations ar introduc d in ction 6. n ric obj ct t p s, g n ric t p cat - 
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gori s and g n ric functions constrain d b obj ct t p cat gori s ar d fin d in 

ction 7.0 r lat d ork is discuss d in ction 8, and so conclusions ar 

gi n in ction 9. 

It is assn d t at t r ad r is fa iliar it t basic s notions ic 
can b found in [ ,2]. fa iliarit it t for al asp cts of obj ct-ori nt d 
s [3] is d sirabl , but not obligator . 

sic i s 

. ct p s 

distinguis b t n ata and b ts and, r sp cti 1 , b t n ata t s 

and bit s. data id ntifi s its If and is i utabl . n obj ct poss ss s 
a uniqu id ntifi r and stat ic can b utabl . data tp dfinsast 

of i utabl alu s and op rations o r t . n obj cttp dfinsast 

of stat s of a pot ntiall utabl obj ct and a nu b r of t ods capabl to 

obs r or updat t obj ct’s stat . is distinction b t n data t p s and 

obj ct t p s r quir s diff r nt t ods of t ir sp cification. 

consid r t at data t p s ar sp cifi d b ans of on of t alg braic 
sp cification languag s lik p ctru [ ], uslan [6] or [7]. t {S ,Ax), 

r is a signatur and Ax is a s t of a io s, b t sp cification of a nu b r 

of data t p s. If is call d t ata s at r in t s qu 1. n alg bra of t is 

signatur is call d a ata a bra. n b t str t r s at r , E , t nds 

E it a s t of & t t s at r s [3] . sp cti 1 , an & t str t r s 

fi at , {E , Ax ), t nds (17 , Ax) it a s t of & 1 1 s fi at s. 

onstructing t obj ct-structur d sp cification, acco pan ac obj ct t p 
signatur it t corr spending a io s. r for , t notions of obj ct t p 
signatur and obj ct t p sp cification corr spend, r sp cti 1 , to t notions 
of class d claration and class d finition of ++. 

obj ct-structur d sp cification is d fin d in t folio ing a . t OTY PE 
b a s t of (obj ct t p ) na s and a s t of obj ct t p sp cifications. 

obj ct-structur d sp cification is t n a tripl OTY PE, 0<P, int , r 

int is a function apping OTY PE into If T OTY PE, ots O^P, and 

int (T) = ots, t n t apl t T ots is t sp cification of t obj ct t p 

T (in t is cas so ti s rit t at ots is ark d it T). 

sp cification of an obj ct t p T in t is pap r as t folio ing for : 
ss = sp 

[obj ct-t p -signatur ] 
a io s , 

r b t t s at r is a, tripl s t attr b t arat s; s t tat r 

arat s; s t bs r r arat s. 

n attribut or obs r r d claration as t folio ing for : rat a 

rat r fi . rat r fi is it r T or T ,... ,T — T r 

T, T ar data/obj ct t p na s indicating t t p s of attribut /obs r r pa- 
ra t rs (if an ) and t r suit t p . utator d claration is it r just a 
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utator na or tat r a tat r r fi , r tat r r fi is a, s - 

qu nc of data/obj ct t p na s indicating t t p s of utator para t rs. 

Intuiti 1 , a tupl of attribut s d fin s an obj ct’s stat , an obs r r is a 
function co puting so t ing at a gi n obj ct’s stat , and a utator is a 
proc dur c anging an obj ct’s stat . ttribut s ar oft n call d sta a 
r ab s, and obs r rs and utators ar oft n call d t s in obj ct-ori nt d 
progra ing languag s. 11 of t ar call d t ods in t s qu 1. 

t ti in t folio ing a pi s s ts of attribut , obs r r, and utator 
d clarations in t obj ct t p signatur ar pr c d d b k ords ttri ut , 
s r r, and ut t r, r sp cti 1 . 

s an a pi , 1 t us consid r a si pi od 1 of or consisting of loca- 
tions storing int g r nu b rs. cons cuti nu b r of locations for s a ctor 

ic is a structur alio ing bot s qu ntial and rando acc ss to its 1 nts. 

location r pr s nting a ctor 1 nt is call da t r t rat r in t s qu 1. 
uc an it rator can b und rstood as an obj ct poss ssing a uniqu id ntifi r 

(addr ss) and t attribut a st r updat d b t utator L a and 

obs r d b t obs r r L o . inc is to pro id bot s qu ntial and 

rando acc ss to t ctor 1 nts, d fin s ral tra obs r rs as 11. 
s a r suit, cr at t folio ing obj ct t p signatur : 

ss cit = sp 

[ ttr t valu _stor d: Int g r; 
t t r put_valu : Int g r; 
s r r g t_valu : Int g r; 

ad vane , r tr at: cIt; 

plus, inns: at — cit; 

diff r nc : cit — at; 

q, n q, 1 ss, gr at r, 1 q, g q: cit — ool an] 

In t abo a pi , t co unit of ctor 1 nts is r pr s nt d b 

t class cit ( ctor it rator) it s ral t ods gi ing possibiliti s to o 

it r to t n t (a a ) or pr ious (r tr at) 1 nt, to ju p o r s ral 

1 nts for ard ( s) or back ard ( s), to calculat t distanc b t n 

t o 1 nts ( r ) and to co par t 1 nt (location) id ntifi rs { q 
q ss r at r q g). ot t at t t ods a a , r tr at, s and 
s ar obs r rs sine t produc obj cts and do not updat t stat s of 
t corr sponding obj cts. 

t E = S , S . E -alg bra, , is construct d b t nding a E - 
alg bra, , it a s t of 1 nts, call d b t t fi rs, for ac obj ct 

t p na T. or a pi , a s t of location addr ss s can b associat d it 

t obj ct t p Vecit. d not b t s t of 1 nts associat d it a 
data/obj ct t p T in t alg bra . In addition to t s t of obj ct id ntifi rs, 
for ac obj ct t p T, a (partial) function : — ( >,■■■, > — ') 

is associat d in t alg bra it t attribut na at : T , . . . ,T — T {a 
function : — /is associat d it t attribut na at : T ) d clar d 

in t signatur of T; sue a function is call d an attr b t t . If , 




n ric aciliti s in bj ct- ri nt d 



s 



95 



t n ( ) is an attribute of . ot t at, lik in obj ct-ori nt d languag s, t 

obj ct t p is al a s t first para t r t p of its attribut function alt oug 
it is n r indicat d in t attribut d claration. n obj ct id ntifi r is us d as 
argu nt n t corr spending obj ct t p is a function para t r t p , and 
an obj ct id ntifi r is produc d n t corr spending obj ct t p is t r suit 

t p of a function. 

n object is a pair ( , s) r is an obj ct id ntifi r and s is a tupl 
of its attribut s call d & t’s stat .or a pi , if is an obj ct id ntifi r of 
t p cit in alg bra , t n t pair , _s ( ) is an obj ct it t 
stat _s ( ). 

o d fin t int rpr tation of obs r r and utator na s, a notion of 
a s st is introduc d. 



. ic st 

discuss d abo onl t functions d fin d insid t fra s of obj ct t p s. 
In a or g n ral cas , an alg bra can poss ss a nu b r of ”stand-alon ” fun- 
ctions and constants d fin d outsid t fra s of obj ct t p s. In addition to 
t is, ig r-ord r functions for obs r ing and transfer ing alg bras can b d - 
fin d. r for , introduc a notion of a s st poss ssing a nu b r 
of stat s and a nu b r of op rations for obs r ing and updating t stat s. 

n rail , t sp cification of an obj ct-ori nt d d na ic s st is r pr - 
s nt d b t folio ing tupl : 

{S ,Ax),{S , Ax ,Ax ),{E ,Ax ) . 

Its first CO pon nt is t sp cification (t signatur and a io s) of a nu b r of 
data t p s and r lat d functions, and t s cond co pon nt is t sp cification 
of a nu b r of obj ct t p s discuss d abo . t ird co pon nt is t signa- 
tur of a s t of a t s/ sta ts ic can b diff r nt in diff r nt 

stat s of a d na ic s st 

d na ic function is d clar d as folio s: 

ic u cti t a T; 

r T , ...,T ar para t r t p s and T is a r suit t p . function it out 
para t rs is call d a sta t and d clar d as folio s: 
ic c st sta t a : T; 
r r is t t p of t constant, 
p s. 

ic c st anJt rator: cIt; 

ic u cti atri : at, at — cit; 

t E = E , E , E = E , E , and b a, E -alg bra. E-alg bra 
is construct d b t nding it an 1 nt for a constant d cla- 
ration c : T fro E and a (partial) function : ... — for a 

function d claration f : T , ,T — T fro E . uc an alg bra is call d 
an sta a bra or stat . It r pr s nts a nu b r of obj cts and d na ic fun- 
ctions. n updat of an obj ct’s stat or d na ic function as 11 as cr ation 
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or d 1 tion of an obj ct 1 ads to t transfer ation of on instanc alg bra into 
anot r. ot t at t carri r of is t sa as t at of 

fort CO pon nt of t sp cification of a d na ic s st is t signatur 
and a io s of t t s. ar d clar d in t sa a as t 

functions in if it t us of t k ord p . alu s produc d b 
t s functions d p nd on t stat . 

fift CO pon nt of t sp cification of a d na ic s st is t signa- 
tur and aiosofr rssr ing for stat transfer ations. proc dur is 

d clar d as folio s: 

pr c r r a : T , T ; 

r T ar para t r t p s (n can b ro, i. a proc dur can a 

no para t r). p : 

pr c allocat :at-a at a b r t r t rat rs; 

t no OID b t t p of obj ct id ntifi rs iso orp ic to natural nu - 

b rs. is ans t at t r is t sort na OID and t o function na s, sa 

natJoJd and iddojnat in E and t a io idJojnat{natJoJd{x)) = x, r 
a; is a uni rsall quantifi d ariabl of t p Nat, in Ax. i n a, S -alg bra 

, assu t at all obj ct id ntifi rs ar s 1 ct d fro t s t of alu s of 
t is t p s qu ntiall so t at no obj ct id ntifi r is s 1 ct d t ic . d not 
b ( ) a d na ic s st bas d on a data alg bra and b ( ) t 

s t of instanc alg bras satisf ing t folio ing condition: t r striction of ac 
alg bra of ( ) to t data signatur quals , i- •, ac alg brain ( ) 

is bas d on t sa data alg bra. 

i n a d na ic s st signatur , a data alg bra it a s t of obj ct 

id ntifi rs, and a s t of instanc alg bras ( ) , construct a d na ic s - 

st ( ) b associating: 

it ac obs r r na b \ T , ,T — T in an obj ct t p signatur 

ark d it T, a partial function, ^ ^ , apping a pair , , , . . . , 

(a pair , for an obs r r na 6 : T ) to an 1 nt >, r 

( ) , , and i ., f = ,...,n; 

it ac utator na m : T , . . . ,T in an obj ct t p signatur ark d 

it T, a partial function, ^ \ apping a pair , , ,..., (a 

pair , for a utator na m it out a profil ) to an updat s t , 
r ( ) 5 ) Etnd i i ) * = , ... ,n. 

it ac d p nd nt function na f : T , ... ,T — T, a partial function, 
^ , apping a pair , , . ■ . , (an alg bra for a function na 

/ : T) to an 1 nt , r ( ) and i i> * = , ■ ■ ■ 

it ac proc dur na p : T , . . . ,T , a partial function, p ^ \ apping 

a pair , , ■ . ■ , (an alg bra for a proc dur na p it out a profil ) 

to an updat s t, r ( ) and i n * = , . • . , n. 

us, an obj ct-ori nt d d na ic s st ( ) of signatur DE consists 

of a s t of instanc alg bras ( ) call d t arr r of ( ) and a s t 

on of [ ,2,3] for t d finition of an updat s t and its us for producing a n 
stat . 
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of obs r rs, utators, d p nd nt functions and proc dur s. or a pi , t 

function associat d it t utator na La d clar dint class Vecit 

ill produc an updat s t n d d for updating t cont nt of a location, and t 
function associat d it t obs r r na advance ill produc t id ntifi r 
consid r d to b n t to a gi n id ntifi r in a gi n stat . call of t proc dur 
allocate ill ntuall produc a n stat b attac ing a nu b r of locations 
to t curr nt stat . 

.3 r s ir I t rpr t ti s 

r ar s ral rul s for cr ating t r s of obj ct t p s folio ing t con n- 
tions us d in obj ct-ori nt d languag s. or o r, a sp cial kind of t r call d 

tra s t t r is introduc d to d not transitions fro on alg bra to anot r 

(transition rul s ar sp cial cas s of transition t r s) . ain rul s for cr ating 

t t r s ar t folio ing ( o it int rpr tation r it is s If- id nt). 

. If at : T , ,T — T is an attribut / obs r r d claration fro t obj ct 
t p signatur ark d it T, t ,. . . ,t ar t r s of t p s T , . . . , T , r s- 
p cti 1 , and t is a t r of t p T, t n t.at{t ,...,t)isatr oftp T . 

a pi s: vit.value.stored, vit.advance, vit.plus{2), vit.less{vit ), r 
vit and vit ar t na s of d na ic constants of t p Vecit. t r 
is int rpr t d b in oking t corr sponding attribut /obs r r function in 
t curr nt stat . 

2. If t is a t r of t p T, t n (t) is a t r of t p ool an. I t rpr t ti : 

(t) = if t is d fin d in , and (t) = s ot r is . int rpr - 

tation of t is t r alio s us to c ck t r t argu nt t r is d fin d 
in t curr nt stat .or a pi , t int rpr tation of (vit.advance) ill 
1 t us kno t r t r is an obj ct id ntifi r n t to vit in t curr nt 
stat . 

3. If TO : T , ..., T is a utator d claration fro t obj ct t p signatur 

ark d it T, t , ..., t ar tr softpsT, ..., T , r sp cti 1 , and t is a 

t r of t p T, t n t.m(t , ...,t ) is a transition t r call da tat r a . 

a pi : vit.put-value(3). is kind of t r s r s for indicating an updat 

of a utabl obj ct. t r is int rpr t d b in oking t corr sponding 

utator. 

4. If / : r , . . . , T — T is a d na ic/d p nd nt function d claration and 

t ,. . . ,t ar t r s of t p s T , . . . , T , r sp cti 1 , t n f(t , . . . ,t ) is 

a t r of t p T. t r is int rpr t d b in oking t corr sponding 
d na ic/d p nd nt function. 

. If p : T , ...,T is a proc dur d claration and t , ...,t ar t r s of t p s 
T , ..., T , r sp cti 1 , t n p(t , ..., t ) is a transition t r call d a r r 
a . t r is int rpr t d b in oking t corr sponding proc dur . 

i s 

io s acco pan ing t d clarations of d p nd nt functions ar ata q at s 
of t for t == t r t and tartotrsoft sa tp. 




98 



. . Za ulin 



t r s ar co pos d of uni rsall quantifi d ariabl s, op ration na s fro 
if , t od na s fro S , and function na s fro S and S 
int rpr tation of sue a t r produc s an alg bra 1 nt. data quation 
t == t is satisfi d in a d na ic s st iff t int rpr tation of bot t and 

t produc s t sa alg bra 1 nt in an its stat . inc a t r containing 

t na of a d na ic function can aluat diff r ntl in diff r nt stat s, t 
function os sp cification contains sue a t r g n rail produc s diff r nt 
r suits in diff r nt stat s (i. t r suit d p nds on t stat ). 

io s acco pan ing t d clarations of proc dur s ar a q at s 

of t for t == t T t and t ar t o transition t r s. transition t r 
is it r a proc dur call or a utator call or a transition ml . int rpr tation 
of it r of t produc s an updat s t. In a d na ic quation t == t , t 
first t r is nor all a proc dur call or utator call and t s cond on is 
a transition ml . d na ic quation is satisfi d in a d na ic s st iff t 
int rpr tation of bot t r s in an its stat produc s t sa updat s t. 

ransition rul s ar con ntionall cr at d lik in traditional s [2] it 
an additional possibilit of using proc dur calls and utator calls in rul con- 
structors. r is, o r, an i portant diff r nc in t tr at nt of t 

assign nt of an und fin d alu to a location. r can b no singl 
alu for all data t p s. r for , all d na ic functions ar partial, and in an 
updat rul 

) := 

is just a k ord indicating t at f{t , ...,t ) b co s und fin d. 

can no rit t folio ing a io s for t abo cit signatur (t pical 

a io s for qualit and non qualit ar o itt d): 

r i, i : cIt, , n: at. - d cl r ti fui rs II qu tifi d 

i.put_valu ( ) == i.valu _stor d - d ic i 

i.g t_valu == i.valu _stor d; - this d ll th th rs r d t 

i.advanc == nat_to_id(id_to_nat(i) -|- ); 
i.r tr at == nat_to_id(id_to_nat(i) - ); 
i.plus(n) == nat_to_id(id_to_nat(i) -|- n); 
i. inus(n) == nat_to_id(id_to_nat(i) - n); 
i.diff r nc (i ) == id_to_nat(i) - id_to_nat(i ) 
i.l ss(i ) == id_to_nat(i) id_to_nat(i ); 
i.gr at r(i ) == id_to_nat(i) id_to_nat(i ); 
i.l q(i ) == id_to_nat(i) id_to_nat(i ); 
i.g q(i ) == id_to_nat(i) id_to_nat(i ) 

ric c p s 

cannot b satisfi d it onl concr t obj ct t p s b cans an obj ct 
t p s can a a si ilar structur and it ould b tir so to sp cif t 
again and again. r for a notion of g n ric obj ct t p is introduc d. 
start it t si pi st cas , stra r bits. 



ri I s 
i s 
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n & t str t r s fi at is d fin d abo as a tripl OTYPE, 
0<P,int , r int is a function apping OTYPE into 0(!>. propos t 
folio ing a of constructing t 1 nts of OTY PE, using t o non int rs c- 
ting s ts of na s, T and R, call das r t b t t s and a s 

r b t t s, r sp cti 1 : if T T,tnT OTYPE; if T ,...,T 
ar 1 nts of T and R R, t n R{T , ...,T ) OTYPE. 1 nts of 

OTY PE ar call d t t r s in t s qu 1. 

t no int {R{T ,...,T )) = Spec and int {R(T ,...,T )) = Spec2, 
r R(T ,...,T ) and R(T ,...,t ) ar t p t r s and Spec and Spec2 
ar obj ct t p sp cifications. sa t at t obj ct t p R{T ,...,T ) is a 

sb oft obj ct t p R{T ,...,T ) if t r plac nt of ac T it T , 

i= , ...,n, in Spec con rts it in S'pec2. us, can sa t at t obj ct t p s 
Vector (Integer) and Vector(Char) ar siblings if t r plac nt of Integer 

it Char int sp cification of Sector (Integer) con rts it in t sp cification 
of yector(C'/iar) and ic irsa. can propos a sp cial a of constructing a 
part of t function int for a fa il of obj ct t p siblings. 

t q b na s (of t p para t rs). pair R(q ,...,q ),Spec , 

r R i? and S'pec is an obj ct t p sp cification additional! using g ,...,g 
as t p t r s in t od d clarations, is part of t function int , sue t at for 

an t p na T T,i=, n, int (R(T , ..., T )) = Spec[T /q , ..., T /q ], 
r Spec[T /q , ...,T /g ] is an obj ct t p sp cification produc d b r pla- 
cing ac q in Spec it T . 

pair R(q ,...,q ),Spec is call da r t s fi at . r pla- 
c nt of t p para t rs it t p na s in bot parts of a g n ric t p 
sp cification is call da r t sta t at . ot t at du to t us of 
t function int , do not n d to introduc a sp cial s antics for g n ric ob- 
j ct t p s. g n ric t p sp cification in t is approac is just a a of d fining 

a part of t is function. is corr sponds on to on to t practic of od rn 

progra ing languag s (lik -|— b) r garding g n ric obj ct t p s as t plat s. 

o t p t r s R(T ,...,T ) and R(T ,...,T ) ar qui al nt if T and 

T , i = , ..., n, ar t sa t p na 

p . aking into account t at in t r al or ould lik to a 
locations storing alu s of diff r nt t p s, sp cif a g n ric ctor it rator 
t p : 



ss clt( ) = sp 
[ ttr t valu _stor d: ; 

t t r put_valu : ; 

s r r g t_valu : ; 

ad vane , r tr at: clt( ); 

plus, inns: at — clt( ); 

diff r nc : clt( ) — at; 

q, n q, 1 ss, gr at r, 1 q, g q: clt( ) — oof an] 

r : , i, i : clt( ), n: at. - d cl r ti fui rs ll qu tifi d ri I s 

i.put_valu ( ) == i.valu _stor d - d ic i 

i.g t_valu == i.valu _stor d; - this d ll th th rs r d t i s 
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i.advanc == nat_to_id(id_to_nat(i) + ); 
i.r tr at == nat_to_id(id_to_nat(i) - ); 
i.plus(n) == nat_to_id(id_to_nat(i) + n); 
i. inus(n) == nat_to_id(id_to_nat(i) - n); 
i.difT r nc (i ) == id_to_nat(i) - id_to_nat(i ) 
i.l ss(i ) == id_to_nat(i) id_to_nat(i ); 
i.gr at r(i ) == id_to_nat(i) id_to_nat(i ); 
i.l q(i ) == id_to_nat(i) id_to_nat(i ); 
i.g q(i ) == id_to_nat(i) id_to_nat(i ) . 

4 ric c r p 

can no gi a for al sp cification oft g n ric ctor t p infor all d fi- 

n d in [4] . It is assn d t at ctor co pon nts ( ic ar ctor it rators) ar 

nu b r d starting fro ro. allocat d nu b r of t ctor co pon nts is 
d fin d b t attribut maxsize, t curr nt nu b r of initiali d co pon nts 

is d fin d b t attribut size. ctor co pon nts in t rang ..size— ar 

call d ctor 1 nts in t s qu 1. clans in t sp cification in- 
dicat s t do ain of a partial function: in a do ain sp cification t : 6, 

t t r t is d fin d if and onl if b aluat s to true. transition ml of t 

for s t R , ..., R indicat s t parall 1 cution of t transition t r s 

R , ...,R . 

ss ctor( ) = sp 

[ ttr t CO p: at — clt( ); - ct r c ts ll c t d ll c t r 

si : at; - th curr t si f ct r i iti li d ll c t r 

a _si : at', - th i u si f ct r i iti li d ll c t r 

ttr pt _v c; - d f ult c struct r 

initiali d_v c: at, ; - i iti li ti f th c t t f th first c ts 

cop : ctor( ); - c c .struct r 

pus -back: d I t t th d f ct r 

pop_back; - d I t th I st I t f ct r 

ins rt: clt( ), ; - i s rt I t t th siti i die t d 

ras : clt( ); - r th I t i die t d 

s ap: ctor( ); - s th c t ts f t ct rs 

s r r pt : ool an; - is ct r t ? 

at — - f tch I t f ct r 

front, back: ; - th first d I st I ts f ct r 

b gin, nd: clt( )] - th st rti g d t r i ti g it r t rs f ct r 

r : , iv: clt( ), n: at, v, v : ctor( ). 

v[n]: n & n v.si ; 

V. initiali d_v c (n, ): n v. a _si ; 

v.cop (v ): V. a _si v .si ; 

v.pus _back( ): v.si v. a _si ; 

v.ins rt(iv, ): v.si v. a _si & iv.g q(v.b gin) & iv.l ss(v. nd); 

V. ras (iv): iv.g q(v.b gin) & iv.l ss(v. nd) & v.si ; 
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V. pt _v c == v.si := ; 

v.initiali d_v c (n, ) == s t v.si := n, 

r i: .. n- . v.co p(i).valu _stor d := ; 

v.cop (v ) == s t v.si := v .si , 

r i: .. V .si - . v.co p(i).valu _stor d ;= v .co p(i).valu _stor d ; 

v.pus _back( ) == s t v.co p(v.si ).valu _stor d := , v.si ;= v.si + ; 

v.pop_back == v.si := v.si - ; 
v.ins rt(iv, ) == s t v.si ;= v.si + , 

r i; .. v.si - . v.co p(i).g q(iv) 

t v.co p(i+ ).valu _stor d := v.co p(i).valu _stor d, 
iv.valu _stor d := ; 

V. ras (iv) == s t v.si := v.si - , 

r i: .. v.si - . v.co p(i).g q(iv) 

t v.co p(i).valu _stor d := v.co p(i+ ).valu _stor d ; 

V. pt == v.si = ; 

v[n] == v.co p(n).valu _stor d; 

v.b gin := v.co p( ); 

V. nd == v.b gin.plus(v.si ); 

V. front == v.co p( ).valu _stor d; 
v.back == v.co p(v.si - ).valu _stor d . 

ric is p 

list is a doubl -link d s qu nc of 1 nts ord r d according to t us of 
t constructor op rations ”pus _back” (ins rts an 1 nt at t nd of a list), 
”pus Jront” (ins rts an 1 nt at t b ginning of a list), and ”ins rt” (ins rts 
an 1 nt in t iddl of a list). 11 list 1 nts ar nu b r d starting it 
on for t first 1 nt. nu b r of t last 1 nt is qual to t nu b r 
of list 1 nts. list 1 nt is an obj ct of t corr sponding it rator t p 
istit. d fin it first. 

ss istit ( ) = sp 
[ ttr t valu _stor d: ; 

pr d, n t: istlt( ); 

ttr put_valu : ; 

s r r g t_valu : ; 

ad vane , r tr at: istit ( ); 

q, n q: istit ( ) — ool an] 

r i: istlt( ), : 

i.put_valu ( ) == i.valu _stor d := ; 

i.g t_valu == i.valu _stor d; 
i.advanc == i.n t; 
i.r tr at == i.pr d . 

ot t at, in contrast to t obj ct t p cit, t is obj ct t p do s not 
poss ss t t ods s and s sine list 1 nts ar acc ss d onl s - 
qu ntiall . 
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o can d fin t g n ric list t p . u to spac li itations, t sp - 

cification of so utators is 1 ft to t r ad r. ot t at a transition rul of 

t for s q i? indicat s t s qu ntial cution of t transition 

t r sR , and t transition rul oft for i b R indicat s 

t r p tition of t cution of t transition t r R. for al s antics 
of t s rul s can b found in [3] . 

ss ist( ) = sp 

[ ttr t b gin, nd: istlt( - th st rti g d t r i ti g it r t rs f list 

si : at; - curr t si f list 

ttr pt Jist; - t list c struct r 

initiali djist: at, ; - i iti li d list c struct r 

cop : ist( ); - c c struct r 

pus Jront: ; - i s rt I t t th gi i g f list 

pus -back: ; - i s rt I t t th d f list 

pop_front; - d I t th first I t f list 
pop_back; - d I t th I st I t f list 

ins rt : istlt( ), ; - i s rt I t t th siti i die t d 

ins rt : istlt( ), at, ; - i s rt I ts t th siti i die t d 

ras : istlt( ); - r th I t i die t d 

ras : istlt( ), istlt( ); - r th I ts t th it r t rs 

s r r pt : ool an; - is list t ? 

front, back: ; - first d I st I ts f list 

as: istlt( ) — ool an; - u Hi r r ti eh cki g th r s c 

- / I t i th list 

pr c d s: istlt( ), istlt( ) — ool an] - u Hi r r ti rif i g 

- th t th first itrtr reds th sc d i list 

r : , n: at, 1, 1 : ist( ), i, i : istlt( ). 

l.pop_front: l.si ; l.pop_back: l.si ; 

kins rt (i, ): l.si & 1. as(i); 

kins rt (i, n, ): l.si & 1. as(i); 

1. ras (i, i ): l.si & 1. as(i) & 1. as(i ) & kpr c d s(i, i ); 

kfront: l.si ; kback: l.si ; 

1. pt Jist == p rt n _ 1 : istlt( ) 

s t kb gin := n _ 1 , 1. nd := n _ 1 , l.si := ; 

it r t r d th list c t it r t rs is cr t d; cc rdi g t 

it is th t r i ti g list it r t r 
kpus _back( ) == p rt n _ 1 : istlt( ) 

s t n _ 1 .pr d := 1. nd, 1. nd.n t := n _ 1 ,1. nd.valu _stor d := , 

1. nd := n _ 1 , l.si := l.si + ; 

1. initiali dJist(n, ) == s q 1. pt Jist, l.si n kpus _back( ) ; 

kcop (1 ) == s q s gtt c f tr siti rul s ; 

kpus Jront( ) == p rt n _ 1 : istlt( ) s t f tr siti rul s; 

kpopjront == s t kb gin := kb gin.n t, kb gin.n t.pr d := und f, 

si := si - ; 

kpop_back == s t f tr siti rul s; 
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Lins rt (i, ) == p rt n : istlt( ) s t i.n t ~ n , i.n t.pr d ;= n , 

n .pr d ;= i, n .n t := i.n t, n .vain _stor d := , l.si := l.si + 

Lins rt (i, n, ) == s q Lins rt (i, ), n t Lins rt (i.n t, n- , ) ; 

1. ras (i) == l.si = t l.popjront - first I t is d I t d 

s s t i.pr d.n t i.n t, i.n t.pr d := i.pr d, l.si := l.si - ; 

1. ras (i, i ) == s t 1. ras (i), i.n t.n q(i ) t 1. ras (i.n t, i ) ; 

l.front == Lb gin. vain _stor d; l.back == 1. nd.pr d.valu _stor d; 

1. as(i) == I t r lu ti g t ”tru ” if I h si; 

I.pr c d (i, i ) == I t r lu ti g t ”tru ” if i r c d s i i I . 

6 c p g ri s 

g n ric constructs d fin d abo p r it us to sp cif algorit so r data 
structur s, sue as ctors or lists, abstract d fro t t p of t co pon nt 

of t structur . n of t r quir nts is t abilit to sp cif also 

algorit s abstract d fro t data structur its If, i. . to sp cif an algorit 
capabl , for a pi , to anipulat bot ctors and lists, b tt at r s 
s r t is purpos . 

n obj ct t p cat gor r s bl s a s rt ass of p ctru [ ] or t ass 
of uslan [6] bot bas d on t ass s introduc d in [8] and s s introduc d 

in [9]. It d fin s a s t of obj ct t p sp cifications it so co on prop rti s. 

t CAT b a s t of na s, CS” a s t of sp cifications construct d lik obj ct 

t p sp cifications it t us of an tra obj ct t p na and int : 

CAT — CS a function apping na s in CAT to sp cifications in CS. If 

C CAT, CS CS, and cs = int (C), t n t apl t C cs is t 
sp cification of t obj ct t p cat gor C. 

t C cs b t sp cification of an obj ct t p cat gor and T 

ots t sp cification of an obj ct t p . It is said t at t obj ct t p T is a 
t p of t cat gor C (or r b longs to C) if cs[T/@] ots, r cs[T/@] is 
t sp cification cs it t s bol r plac d it T. at is, an obj ct 
t p b longing to a c rtain t p cat gor ust includ its sp cification as a 
subsp cification. p : 

c ssc t qual = spc-at r b t t s t a q a t rat 
[ s r r q, n q: @ — ool an] 

r , : ist : @. 

. q( ) == tru ; . q( ) == . q( ); 

. q( ) & . q( ) == . q( ); 

•n q( ) == • q( ) • 

n obj ct t p poss ssing t t ods eq and neq sp cifi d as abo is 
t t p of t cat gor qual. also consid r t at TYPE is t na of 

t cat gor it t pt sp cification and, t r for , an data/obj ct t p 
b longs to t is cat gor . 

onstructing a t p cat gor , can in rit t sp cification of an isting 
t p cat gor producing t union of t sp cifications as r suit. 




4 



. . Za ulin 



ik an obj ct t p , an obj ct t p cat gor can b g n ric, i. it can 
us t p para t rs in its sp cification. d finition of a g n ric obj ct t p 
cat gor is t sa as t d finition of a g n ric obj ct t p . g n ric obj ct 
t p b longs to a g n ric t p cat gor if t ir para t rs ate and it includ s 
t sp cification of t t p cat gor as its subsp cification. It rator cat gori s 
s r as a pi s. 

ac it rator t p of t folio ing cat gor as t ods a a and 

L a in addition to t t ods of t cat gor ” qual” . 

ss t Inputit rator ( ) = sp qual 
[ s r r advanc : - r due s th succ di g it r t r 

g t_valu : ] - r ds th lu st r d i it r t r 

2. ac it rator t p of t folio ing cat gor as t ods a a and 

L a in addition to t t ods of t cat gor ” qual” . 

ss t utputit rator( ) sp qual 
[ s r r advanc ; - r due s th suee di g it r t r 

t t r put_valu : ] - st r s lu i it r t r 

3. ac it rator t p of t folio ing cat gor as a utator a in 

addition to t t ods of t cat gor ’’Inputit rator”. 

ss t or ardit rator( ) = sp Inputit rator( ) 

[ t t r put_valu : ] 

r i: . 

i.put_valu ( ) == i.valu _stor d := ; 

i.g t_valu == i.valu _stor d 

4. ac it rator t p of t folio ing cat gor as t t od r tr at in 

addition to t t ods of t cat gor ” or ardit rator”. 

ss t idir ctionallt rator( ) = sp or ardit rator( ) 

[ s r r r tr at: @] - r due s th r e di g it r t r 

. ac it rator t p of t folio ing cat gor as s ral t ods in addition 
to t t ods of t cat gor ” idir ctionallt rator” . 

ss t ando cc ssit rator( ) = sp idir ctionallt rator( ) 

[ s r r plus, inus: at — 

dill r nc : @ — at; 

1 ss, gr at r, 1 q, g q: @ — ool an] 

cat gor of input it rators is introduc d in to alio it ration ov r input 
str a s in t sa a as, sa , ov r v ctors. 

cat gor of output it rators is introduc d in to alio it ration ov r output 
str a s in t sa a as, sa , ov r v ctors. 
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ccordingtot d finitions, an obj ct t p clt( )b longs tot t p cat - 
gori s ando cc ssit rator( ), idir ctionallt rator( ), or ardit rator( ), 
utputit rator( ), Inputit rator( ), and qual. n obj ct t p istlt( ) b - 
longs to t t p cat gori s idir ctionallt rator( ), or ardit rator( ), u- 
tputlt rator( ), Inputit rator( ), and qual (it do s not b long to t t p 
cat gor ando cc ssIt rator( ), o r). us, a ctor it rator can b 

us d in an algorit r quiring it r a rando acc ss it rator or bidir ctional 
it rator or for ard it rator or input it rator or output it rator. In t sa a 
a list it rator can b us d in an algorit c pt t at on ic r quir s a 
rando acc ss it rator. 



7 s r i d rici 

ccording to t d finitions of g n ric co pon nts in ction 3, an t p can b 
us d as instantiation argu nt. t t sa ti , it is oft n n d d t at onl 
a t p b longing to a c rtain t p cat gor could b substitut d. r for , t 

d finitions of g n ric co pon nts s ould b c ang d according to t is constraint, 

constrain d g n ric obj ct t p is d fin d as folio s. 
i q : C : C b na s (of t p para t rs) ind d it t p 

cat gor na s. pair R{q : C ,-..,q : C ),Spec , r R R and Spec 
is an obj ct t p sp cification additional! using q ,...,q astp tr sin 
t od d clarations and op rators fro C in a io s, is part of t fun- 
ction int , sue t at for an t p t r T of t p cat gor C , i = 

int {R{T , ...,T )) = Spec[T /q /q ], r Spec[T /q ,...,T /q ] is an 

obj ct t p sp cification produc d b r placing ac q in Spec it T . 
constrain d g n ric t p cat gor is d fin d in a si ilar a . 

r t arat is a tripl gf,{q ■ C ,...,q : C ),FP , 

r 5 / is a (g n ric) function na , q : C , ...,q : C ar na s (of t p 

para t rs) ind d it t p cat gor na s and FP is a function profil 

additional! usings ,---,q astp tr s. 

If gf : {q : C : C ),FP is a g n ric function d claration and 

T ar tp trsoftp cat gori s C , r sp cti 1 , t n 

gf{T ) : FP is an sta tat t arat , r FP is a fun- 

ction profil produc d b r placing ac q in FP it T; gf(T,...,T) is 
call d an sta t at t a . Instantiat d function na s ar us d for 

producing data t r s in t sa a as ordinar function na s ar us d. 

If gf ■ {q '■ C : C ),FP is t d claration of a d na ic function, 

t n an alg bra oft gi n signatur is pro id d it a function p binding 
an instantiat d function na gf(T , ...,T ) to a function as it is d scrib d in 
ction 2.2 for d na ic functions. 

If 5 / • {g ■ C ,...,q : C ),FP is t d claration of a d p ndant function, 
t n a d na ic s st ( ) is pro id d it a function p *■ ^ binding 

an instantiat d function na gf{T , ...,T ) to a function as it is d scrib d in 
ction 2.2 for d p ndant functions. 
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g n ric function sp cification consists of a g n ric function d duration and 
a s t of a io s using instantiat d function na s in t ir t r s. 

t ti : us t brack ts g ... pr to brae t p para t rs 

in a g n ric function d duration. 

p s: 

p cif a function ic looks for a alu in a data structur b t n 
first and last it rators and r turns t it rator storing t alu if it is found 
and t last it rator if t alu is not found. 

t find: I: Inputit rator, : Y pr : I( ), I( ), — I( ); 

r first, last: I( ), valu : 
find(I, ) (first, last, valu ) == 

first. g t_valu = valu first, q(last) t first 
s find(I, ) (first. advanc , last, valu ) . 

o , if at folio ing d durations: 
c: ctor(Int g r); 

list: ist( ar); 

can in ok t function in t folo ing a s: 
find( cit, at)( c.b gin, c. nd, 7); 
find( istit, ar)(list.b gin, list, nd, ’a’); 

In t is cas bot ctor it rators and list it rators can b us d b caus bot 
b long to t cat gor of input it rators r quir d in t function sp cification. 

ot t substitution of t g n ric t p s Vecit and Listit for t g n ric t p 
cat gor /. In t n t a pi list it rators cannot b us d. 

2. p cif a function ic p rfor s binar s arc in a structur containing 
ord r d CO pon nts and r turns t it rator containing t 1 nt to b found 
(for si plicit assu t at t structur r all contains t 1 nt). 

t binar _find: I: ando cc ssit rator, : rd r d 

pr I( ), I( ), - I( ); 

r first, last: I( ), valu : 

binar _find(I, )(first, last, valu ) == t d = last.diff r nc (first), = d/2, 

curr nt = first. plus( ), cv = curr nt.g t_valu 

cv = valu t curr nt 

s valu cv t binar _find(I, )(first, curr nt, valu ) 
s binar _find(I, )(curr nt, last, valu ) . 

o , can call t function it ctor it rators lik t folio ing: 
binar _find( ctit, at)( c.b gin, c. nd, 7) 
b caus ctor it rators b long to t class ando cc ssIt rator, and can- 
not call it it list it rators. ot t us of t t p cat gor rd r d (not 

d fin d r ) ic is n d d to ak sur t at t t p of t co pon nts 

contains t op ration ” <” . 

abo a pi s s o us in ic at functions abstracting bot 
fro t structur and t t p of its co pon nts can b sp cifi d. 
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r r r s ar d clar d si ilarl to g n ric functions and ar sp ci- 

fi d si ilarl to ordinar proc dur s. ctor allocator, a sp cial proc dur 

ic allocat s or for a particular ctor (according to , sue a pro- 
c dur is associat d it ac contain r class), can s r as an a pi . 
i port rul of ur ic s [2] is us d in t sp cification for cr ating a n 

obj ct id ntifi r. 

pr V c_allocator: : Y pr ctor( ), at; 

r v: ctor( ), n; at. 

c_allocator( )( , n) == 
s t V. a _si := n, v.si := , 

r i = .. n- . p rt n _ 1 : ctor( ) v.co p(i) n _ 1 

- ct r ttri ut s r i iti li d. 

If intvec is a d na ic constant of t p Vector {Integer), t n _a at r( 

It r)( t j ill allocat noninitiali d locations to intvec and s t 

initial alu s to its attribut s maxsize and size. 

Id rk 

ar not going to discuss r t approac s r pr s nting obj ct stat s as 
1 nts of t sa alg bra. ork along t is approac is a il bas d on 

traditional alg braic sp cification t ods. can onl r p at aft r . arisi- 
r sicc and . i rantonio t at ”t alg braic fra ork so far as b n ina- 
d quat in d scribing t d na ic prop rti s of obj cts and t ir stat transfor- 
ation as 11 as or co pi notions t pical of t obj ct ori nt d paradig 
sue as obj ct id ntit and p rsist nc of obj cts” [ ]. int r st d r ad r 

can r f r to [ , 2, 3, 4]. 

r i r s ral orks consid ring obj ct stat s as alg bras, bj ct- 
ori nt d t nsions of t pro in nt sp cification t ods [ ] and Z [ 6] 

ar t first of t 

[ 7] introduc s a notion of class d finition as a t plat for a coll c- 
tion of obj cts poss ssing a nu b r of instanc ariabl s (int rnal stat ) and 
t ods ( t rnal protocol). d finitions of t t ods of isting class s 
can b in rit d nan class is d fin d ( ultipl in ritanc ). bj ct’s 
initial stat and in ariant can b sp cifi d. s t of stat nts t pical of i p - 

rati progra ing languag s is pro id d. nfortunat 1 , t d scription of t 

s antics of t languag is don rat r infor all , in t at s antics 

of progra ing languag s is usuall d scrib d. s a r suit, t us r g ts an 

i pr ssion t at is a progra ing languag pro id d it so sp ci- 

fication faciliti s (pr - and post-conditions) rat r t an a sp cification languag . 
o g n ricit is pro id d in t languag . 

bj ct-Z [ 8] practicall as t sa f atur s as -I— I- it t dif- 

f r nc t at it is bas d on Z. class is r a s t of attribut s and a s t of 
op rations acting upon t s attribut s. In contrast to -I— k, t s antics 
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of bj ct-Z is for all gi n. stat is consid r d as a function fro a s t 

of id ntifi rs (attribut s) to t s t of all possibl alu s. n can sa t at it 

corr sponds to a o og n ous alg bra os signatur contains onl constant 
s bols (co par it it a or g n ral cas of r functions as alg - 

bra CO pon nts pla a significant rol ). class d finition can b suppli d it 
a nu b r of t p para t rs, a kind of unconstrain d g n ricit is pro id d in 
t is a . o notion of class cat gor and, r sp cti 1 , constrain d g n ricit 
ists in t languag . bj ct cr ation is also not pro id d b t languag . 
r for a sp cification si ilar to t sp cification of list t p s gi n abo is 

not possibl . 

Z++ [ 9,2 ] is anot r d lop nt bas d on Z pro iding faciliti s co para- 
bl to t os of bj ct-Z. ain diff r nc is t at its s nta is quit diff r nt 

fro t at of bj ct-Z ( ic actuall folio s t s nta of Z) and is c os n to 

str ss t CO onalt of t languag it obj ct-ori nt d progra ing langu- 

ag s lik iff 1. or al s antics of t languag is d fin d b ans of cat gor 
t or . Ho r, t ain att ntion is paid to t for al d finition of r fin - 

nts b t n class s il sue i portant notions as stat , class, obj ct, tc. 

ar consid r d 11-kno n and not d fin d in t s antics, ik in bj ct-Z, a 

class d finition in Z-| — h can b suppli d it a nu b r of t p para t rs pro i- 

ding unconstrain d g n ricit . gain, no notion of class cat gor (in our s ns ) 
and, r sp cti 1 , constrain d g n ricit ists in t languag . s antics 
of a g n ric class sp cification is also not r port d. 

In [2 ] obj cts ar 1 nts of instanc structur s ic ar quadrupl s of 
alg bras of diff r nt signatur s. p cifications of t alg bras r s bl traditio- 
nal alg braic sp cifications. n of t alg bras is t nd d it tra ’’stat 

function s bols” apping obj ct id ntifi rs to t ir alu s. na ic op rati- 

ons s r ing for obj ct olution ar od 1 d b alg bra orp is s. aut or 
b li s t at t sp cification of t s op ration s ould a an i p rati na- 
tur , but do s not sugg st a t od of sp cification. approac is furt r 

for ali d it a a us of cat gor t or in [ ]. In contrast to all of t is, 

r pr s nt t stat b a singl alg bra, b li t at t r is no n c s- 

sit for stat function s bols sine us r-d fin d obs r rs p rf cti s r for 
t is purpos , and sugg st a concr t t od of sp cification b ans of 
transition ml s. 

“Hidd n ort d Ig bra” approac [ ] , r so sorts ar distinguis- 

d as idd n and so ot r as isibl , tr ats stat s as alu s of idd n sorts, 
isibl sorts ar us d to r pr s nt alu s ic can b obs r d in a gi n stat . 
tat s ar plicitl d scrib d in t sp cification in contrast to our approac . 

is ork CO bin d it s gu r’s r riting logic [22] as s r d as t basis 

of t d na ic asp cts of t languag af [23]. In t is languag stat s 

and transitions ar od 1 d, r sp cti 1 , as obj cts and arro s b longing to t 

sa r rit od 1 ic is a cat gorical t nsion of t alg braic structur . 

s gu r’s r riting logic is also t basis of t sp cification languag aud 

[24]. 
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sp cification languag roll [2 ] s ould b ntion d as on of t ain 
practical ac i nts in t fi Id. roll is ori nt d to t sp cification of ob- 

j cts r a t od ( nt) is sp cifi d b ans of aluation ml s si ilar 

to quations on attribut s. It oug t s antics of roll is gi n rat r in- 
fer all , t r is a strong at atical foundation of its dial ct roll-lig t [26] 
it t us of data alg bras, attribut alg bras and nt alg bras. r lation 
construct d on t o s ts of attribut alg bras and a s t of nt alg bra, call d 
h t t , for ali s transitions fro on attribut alg bra to anot r. 

It oug roll poss ss s g n ric faciliti s, non of t is for ali d in [26] . 

probl of constrain d g n ricit in obj ct-ori nt d class librari s is di- 
scuss d in [27]. bstract class s r s bling our obj ct t p cat gori s ar us d 

t r for constraining t g n ric para t rs, and a notion of s ntactical con- 

fer anc is introduc d for c eking t r a concr t class is an instanc of a 
gi n abstract class. r is an i portant diff r nc b t n an abstract class 
and a concr t class sine on cannot cr at an obj ct of an abstract class. In 
fact, an abstract class sp cifi s so t ods co on for a co unit of con- 
cr t class s. or t is r ason ak a cl ar diff r nc b t n obj ct t p s 

and obj ct t p cat gori s ind p nd ntl sp cifi d. n additional f atur of our 

approac is g n ric obj ct t p cat gori s standing for co uniti s of g n ric 

obj ct t p s. 

inall , a funda ntal ork [28] for ali ing bound d para trie pol or- 

p is si ilar to our constrain d g n ricit s ould b paid att ntion. Hr g n - 

ricit is constrain d b alio ing onl t os t p argu nts ic ar subt p s 
of t para t r t p . In t is r sp ct, t is approac is r si ilar to t pr- 
ions on . not r p culiarit of t ork is t at an obj ct do s not poss ss a 

uniqu id ntifi r, it is just a tupl of t ods, and obj ct updat s ar si ulat d 
b t od o rrid s g n rail producing n obj cts. 



cl si 

c anis s for t sp cification of g n ric obj ct t p s and t p cat gori s 
ar introduc d in t pap r. it t us of t s c anis s, an g n ric 
algorit s abstracting fro t t p of t data structur b ing anipulat d can 

b asil sp cifi d. It oug t g n ral t c niqu of g n ric t p sp cification 
is 11-kno n and can b found in t lit ratur , t no It of t is ork is t 
t nsion of t t c niqu to t cas of obj ct-ori nt d s. not r no It 
is t d finition and us of g n ric t p cat gori s for t sp cification of g n ric 
algorit s. 

d scrib d t c niqu as p r itt d us to sp cif so co pon nts of t 

tandard plat ibrar for H — h. librar t us sp cifi d can b asil 
adapt d to anot r obj ct-ori nt d languag . p ri nc obtain d in t 

proc ss of t sp cification as pro d t po r of t t c niqu . Its ain 
f atur s can b su ari d as folio s: 

r pr s nt i utabl alu s b data t p s and sp cif t alg brai- 
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2. r pr s nt utabl obj cts poss ssing stat s b obj ct t p s and sp cif 

t b ans of transition ml s. 

3. d fin g n ric (data, obj ct) t p s to abstract fro t t p of t 

CO pon nt. 

4. d fin (data, obj ct) t p cat gori s to abstract fro t structur . 

d fin a g n ric algorit b ans of transition ml s anipulating 

t obj cts t us sp dfi d. 

ools supporting t is st 1 of sp cification r ain t subj ct of furt r ork. 
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c 11 d script! ns f alg rit s, t f r al r inf r al, 
pi data structur s, p rati ns n t , and s p lie t cans 
p rati ns appli d t data. 

ur ic calls a f r al d script! n t c niqu f r alg rit s Ig ri h 

i rs I if it all s f r ac inf r all d scri d alg rit a f r al 
r pr s ntati n t at uld ss ntiall ak pr cis t n ti ns us d in 

t inf r al d script! n, n t pi ing additi nal data, p rati ns r 
st ps. 

ur ic ’s h sis clai s stract tat ac in s alg rit 

uni rsal f r c n nti nal, s qu ntial alg rit s. 

Hr ar ind pr p rti s f f r al pr s ntati ns t at ar alg rit 

uni rsal f r unc n nti nal, distri ut d alg rit s. 

ti c ti rit s 

g rith ic Ide s 

he desig of a co p ter e edded sol tio to a real orld pro le al a s i - 
cl des phases of g rit i i s. algorith ic idea descri es i t iti e, te ta- 

ti e, ot et f 11 speci ed aspects of a i te ded algorith . ho gh i e ita 1 

ag e, a algorith ic idea is i te ded to e tra sfor ed i to a a ig o s, 
for all prese ted algorith . 

perie ce re eals that all algorith ic ideas co er three ki ds of co po e ts: 
irst, a choice of ssi co po e ts. his i cl des data ite s i ario s roles 
(e.g. data stored i data ases, data i a tra sie t ffer, or data a e a le for 
process! g), aria les ith their respect! e act al al es, a d pote tial locatio 
of CO trol ite s. 

eco d, a choice of ti co po e ts. his i cl des operatic s to o ser e 

or to cha ge ( pdate) passi e co po e ts, e.g. read! g a aria le, riti g a 

aria le, esta lishi g e co trol ite s, tra sporti g data ite s to other places 
(as e.g. i case of i p t a d o tp t), pro idi g e roles or co te ts to data 
ite s. 

hird, a z to acti ate acti e co po e ts a d to ca se their actio . his 

i cl des s g ti policies that ca se seq e ces of actio occ re ces, as ell as 

r policies that ca se seq e ces of sets of actio occ rre ces, a d istri t 
policies, that ca se actio s to occ r i partiall speci ed order. 

ur c a . ( ds.) pp. — 

pr g r- r ag r d rg 
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e ti g rith s 

e de ote a algorith ti if it sticks to the co e tio al paradig 

of CO p ti g: Upo all i p t a aila le, the algorith starts, le e tar actio s 

are e ec ted i seq e ce, co ditio al alter ati e, a d co ditio al iteratio . s 

sho Id ter i ate a d pro ide o tp t. o -ter i ati g r s are co sidered er- 
ror o s, pro idi g o o tp t. ch a algorith co p tes a partial f ctio 

fro the set of pote tial i p ts to the set of pote tial o tp ts. 

he i ter ediate choice of actio s a ot e iq e, i hich case o e of 

the is selected o deter i isticall . he algorith co p tes a relatio i this 
case. 



.3 e cti e g rith s 

s a rst li erali atio of the co e tio al paradig , ot all i p t is req ired to 
e i itiall a aila le, or is all o tp t postpo ed til ter i atio : I p t a d 

o tp t a occ r ri g a, r , as o tli ed i ig. . 



run : 




Outlin f a run far acti alg rit 



his ields a er of co seq e ces: irstl ,ar a zt for fresh i p t. 

‘ aiti g’ is a reall e aspect, ot prese t i a co e tio al theories of co - 
p tatio . eco dl , a r of s ch a algorith is se si le also if it di erges. 

iffere t di ergi g r s a e ec te differe t i teractio s ith their e iro - 

e t. 

ach r of this ki d of algorith tra sfor s a ite or i ite seq e ce of 
i p t data i to a ite or i ite seq e ce of o tp t data: he algorith r ts 

to each e i p t ite ith fresh o tp t ite s; he ce the ter of r ti 
algorith s. 

pical e a pies of s ch algorith s are tech ical co trol algorith s, s ch 
as e.g. lift CO trol. 

.4 per ti g g rith s 

o react! e algorith s A a d B a cooperate, ith o tp t of A sed as 
i p t for B a d ice ersa, o tp t of i? sed as i p t for A. I additio , the t o 
algorith s a cooperate ith their e iro e t. ig.2 o tli es this sit atio . 
pical e a pies of s ch algorith s are co icatio protocols. 
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Outlin f a run f c p rating alg rit s 



et rk g rith s 

he idea of cooperati g algorith s ca e ge erali ed to t r s of local algo- 
rith s. ach local algorith i s ch a et ork is directl li ked to its eigh or 
algorith s, as o tli ed i ig.3. 




t rk f 1 cal alg rit s A, E 



he a perfor a task i cooperatio , se di g essages to eigh ors, as 
sketched i ig.4. 

.6 h red e r d hre ds -the- 

s r r g rit CO sists oft o or ore threads of actio s, perfor ed 

o storage pri ate to the threads, as ell as o co o storage, breads of 
CO trol a e ge erated as ell as destro ed d ri g a algorith ’s r . 
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Outlin f a run ft n t rk in ig.3 






—►fork 





gularl structur d t r ads f c ntr 1 



ig. sho s a reg lari str ct red split of thread of co trol.I co trast, ot 
all parts of thread of co trol ca iq el e assig ed to a pair of fork a d joi 

i ig.6. 



•fork 






join- 



-►fork 



V. 



j 



join- 



6 Irr gularl structur d t r ads f c ntr 1 



ork a d joi ad a icall e ge erated d ri g a r of a algorith . 
he o erall er of parallel threads th s is ot ed or predicta le efore- 
ha d. he otio of deter i ed thread of co trol fades a a . 




6 



isig 



.7 i er icies f cti 

o e ersio s of co e tio al algorith s do ith q ite li eral policies of 

actio . s a - ad ittedl e tre e - e a pie, co sider the set of s ols 
{a,b,c,d,e} ith the sta dard alpha etic order, <, a d the set { , . . . , } of 
i dices ith their at ral order. rther ore, ass e a i itial pairi g of let- 
ters a d i dices, e.g. (a, ), (6, ), (c, 3), (d, 2), (e,4). r task is to order the 
s ols properl , res Iti gi the pairs (a, ),...(e, ). he o 1 a aila le opera- 

tio , s ap ((x, i), (y,j)), is de ed for letters x,y a, d i dices i,j. his operatic 

is acti ated if x > y a d i < j, i hich case it ret r s (x, j) a d {y,i). 

he cr cial poi t is the polic of actio . e descri e it i t iti el co - 
cei i g each pair (x, i) as a s , x, ith a sti r, i. 




he shes are si i g aro d i a aq ari , as sketched i ig.7. he- 

e er t o sh eet, the e cha ge their stickers i case the order of shes a d 
stickers do ot coi cide. 

Is this a algorith at all? hat i i al req ire e ts g ara tee ter i a- 
tio ? Ho detect ter i atio ? 

r gross d iesce ce 

o e tio al algorith s are al a s to r . or e a pie, e ec tio of a 
progra does ot stall ith a e a led state e t: all state e ts of 
are r gr ssi g. \J co e tio al algorith s a ha e actio s that are ot 

progressi g, t q i s t: the a re ai e a led fore er. 

s a e a pie, a reaso a le algorith that orga i es t al e cl sio 

( te ) st do ith at least three states for each i ol ed site, alii g those 
states q i t, i g, a d riti , a q i t site st spo ta eo si e a le to 
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eco e i g, t st also e a le to re ai q i t fore er; the step fro 
q i t to z 5 is “q iesce t” . he algorith f rther ore st g ara tee that 
i g ill e e t all lead to riti a d ack to q it. He ce all other actio s 
are “progressi g”. 

Igorith s are freq e tl co posed ith other algorith s alo g q iesce t 
actio s. iesce ce the hi ts at additio al preco ditio s that are ot e plicitel 
stated i the algorith itself. 



. ir ess ss pti s 

o deter i istic choice a o g t o or ore actio s ca e req ired to e per- 
for ed / zr : a r is discarded, if it i itel ofte is to decide the sa e 

alter ati e a d decides al a s i fa or of the sa e actio ( p to itel a 
e ceptio s). 

air ess ass ptio s are irre ela t for co e tio al algorith s. air ess as- 
s ptio s lea e the scope of co p ta le f ctio s; the ca e eri ed or fal- 
si ed o 1 ith i ite eha ior. air ess ca ot e i pie e ted literall , o e 

s all i pie e ts a stro ger ass ptio , r li g o t ore r s. 

s a e a pie, all te algorith s eed a fair ess ass ptio [ ]. his 
ass ptio is freq e tl shifted i to fair readi g of aria les. he the de ate of 
forthco i g hapter 2 applies: If fair readi g of shared aria les is g ara teed, 
the pro le is sol ed. 



che t f r g rith s 

Igorith s freq e tl do ’t deter i e all aspects of co p tatio . he ost 
pro i e t para eter for co p tatio is z t. U co e tio al algorith s do 
ith f rther para eters. 

or e a pie, the g rit is a sche a to roadcast ack o ledged 

essages ithi co ected, directed et orks of age ts a d essage li es. 
Igorith ic eha ior, co c rre t r s etc. a ifests i si g et orks o 1 . 
he cho algorith is j st a s for a algorith s: each co Crete graph 

de es a speci c algorith . 



. peci c ti f g rith s 

si ti of a algorith does ot for late operatio al eha ior, t 
j st states its cr cial properties, or e a pie, each te algorith ass es 
t o part ers, I a, d r, ith states q i t, i g a d riti , a d the steps as 
disc ssed i . . I additio , e er oth part ers are coi cide tl riti 
algorith that eets those req ire e ts, is a perfect te algorith . 

ore i ol ed speci catio s do ith req ire e ts that g ara tee disti g is- 
hed eha ior o 1 if the ca rel o proper i p t. 




isig 

g rith i ers r is s 

for al prese tatio a stick ore or less tightl to a algorith ic idea, 
he ost li eral fashio o Id s ggest that a algorith ic idea esse tiall 
descri es a co p ta le f ctio . for al prese tatio of the algorith ic idea 
the for ali es this f ctio a athe atical ea s. he tight ost fashio 

as a for al prese tatio that o Id gi e the passi e a d acti e co po e ts 

of the algorith ic idea a precise ea i g, a oidi g a e co po e ts, a d 

like ise o Id reflect the algorith ic ideas’ acti atio polic i s ch a a that 

the steps of the for al prese tatio ijecti el correspo d to the steps of the 

algorith ic idea. re ich i [ ] calls s ch a for al descriptio tech iq e for 
algorith s g rit i rs . 

he s q ti t sis of [ ] clai s that seq e tial s are algorith 

i ersal for co e tio al algorith s, as descri ed i . , as ell as for react! e 
algorith s as descri ed i .2. 

Here e are ehi d the pro le of i ersal descriptio tech iq es for all 

CO e tio al algorith s, so e of hich e o tli ed a o e. 

e ill ot CO it o rsel es as to hether or ot parallel a d distri ted 

s o Id eet this propert . I stead, i additio to the a o e descri ed 
iss es, i the rest of the paper e disc ss so e aspects of co e tio al algo- 
rith s that st e respected a i ersal descriptio tech iq e. 

he a o e class! catio takes p a o goi g disc ssio o algorith ic co - 
cepts that o Id ot j st co p te partial f ctio s. [ 6] ade react! e algo- 
rith s pop lar. or cooperati gad et ork algorith s, cf. [ ], [ ] a d [2 ]. 

hared e or a d d a icall ge erated threads ha e ee st died for deca- 
des cf. [4]. i eral olicies of actio sad sche ata are co ered i [2 ], a o g 
others, peci catio iss es are ai 1 disc ssed i the fra e ork of e poral 

ogic, s ch as e.g. i U it [ ] or [4]. da e tal aspects of li eral 

policies of algorith s are disc ssed i [ 7] a d [2 ]. 

SS i 

It a CO e as a s rprise that e co cei e read! g the act al al e of aria les 
the rst iss e to e co sidered here, eadi g is a q ite o io s, si pie operatio 
i CO e tio al algorith s. 

U CO e tio al algorith s, ho e er, freq e tl co sist of local age ts that 
share aria les: shared aria le ca e addressed t o or ore age ts. If the 

do so coi cide tl , the o tco e is de ata le. here are t o ai approaches to 

tackle this pro le . 



. e di g es ’t tter 

he idea of this approach is o e disti g ished age t ho tr s the aria le 
ad a oth read (test) a d rite (cha ge) it. 11 other age ts are o 1 alio ed 

to read, eadi g is ass ed ot to reall i terfere ith riti g. a port i [ 3] 
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icel e e pli es this approach so e ki d of a flag that ca e rise a d 

lo ered o e perso o 1 . thers a o ser e the see er . 

he o ser er (reader) of the flag does ot affect the flag i a respect. I 
partic lar, the o ser er of the flag ca ot pre e t the flag’s o er fro risi g 
a d lo eri g. 



e di g tters 

a port’s a o e descri ed approach properl reflects o r e er da ph sical e - 
iro e t. It i cl des riads of light a es that are reflected ite s’ s rface, 
e.g. flags, a d later o catched h a s e es. his is h o ser atio does 
ot affect the o ser ed. 

ot all ph sical i erses are str ct red like this. e a pie is the i erse 
of CO p ter hard are. 

eadi g a aria le, i.e. cop i g the act al al e of a register, is ph sicall 
reali ed as a seq e ce of actio s that i deed affect the register’s co te ts. his 

CO te ts a e relia le, i predicta le or i fact differe t fro the e pected 

al e at i ter ediate states. hile ei g read, the register ca ot e ritte 
at the sa e ti e. 

register like this eha es like a ote ook, sed a gro p of age ts. oth 

actio s of readi gad riti g req ire e cl si e co trol. It is the age ts’ ss 

to the ote ook that co ts for the p rpose of riti gad readi g alike. 

.3 c si 

o hat e te t do the a o e co sideratio s affect the co str ctio of algorith s? 

o e tio al algorith s are ot affected at all, t co e tio al algorith s 

are affected to a great e te t. or e a pie, a lot of algorith s that orga i e 

t al e cl sio are se si le o 1 i the fra e ork of the rst approach, here 

readi g is ass ed ot to affect a aria le. 

here is a traditio al ias to co cei e the ass ptio s of the rst approach 
ore CO e ie t a d at ral tha the seco d. his is h operati g s ste s 

freq e tl offer a s rface to processes that prete d the ass ptio s of the rst 

approach, i partic lar i terfere ce free readi g. he seco d approach ill ho e- 

er t r o t ore 1 cid for a s ste atic approach to co e tio al algorith s. 
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q ti c rr t s 

3. he ti f s 

he otio of a si gle r is f da e tal for algorith s. I fact, a algorith ’s 

pri arl p rpose is to character! e i itel a (a d, freq e tl , i itel 

lo g) r s. 

r CO pri es r s f ti s, called ts. e ts ca e ordered 
accordi g to differe t aspects. e aspect ass es a (totall ordered) ti e scale, 

de i gati e sta p foreache e t. r the is st ift o or ore e e ts 
a e gi e the sa e ti e sta p. ther ise it is s g ti . 

other aspect descri es s . e e t ca ses preco ditio s 

for its ir t s ss r ts. ra siti e clos re of the direct s ccessor relatio 
the is a partial order hich descri es the s zsaogeets. 

s ith this order are rr t. o g sta di g disp tes e phasi e ad a - 
tages a d disad a tages of seq e tial a d co c rre t r s. 

eq e tial r s are freq e tl co sidered ore at ral, co e ie t a d i- 

despread. I the co te t of algorith i ersal for alis s ho e er, co c rre t 

r s are i e ita le. orthco i g sectio s ha e the details. 



3. p e 

s a e a pie co sider ijkstra’s ell k o s ste of e philosophers a, . . . , e, 
sitti g aro d a ta le. ach philosopher alter ates the actio s oi t i i g & d 
ti g. s a additio al req ire e t, eigh ored philosophers are e er to eat 
together, ach pair of eigh ors shares a / r to this e d. philosopher ca 

start eati g o 1 if he ds his adjace t t o forks i . I this case he 
picks the p (i hich o e t the are o lo ger a aila le) a d akes the 

a aila le agai o 1 po ter i ati g ti g. 

s s ggest to freel choose a le el of a stractio at o r co e ie ce. o 
e choose actio A to co pri e philosopher a picki g p his adjace t forks, 
eati g, a d releasi g his forks, ctio s B,C,D a, d E are de ed accordi gl . 



3.3 eq e ti s 

hat are the seq e tial r s of the a o e algorith ? ppare tl , each i - 
ite seq e ce w G {A, . . . ,E} ! the gi e le el of a stractio , eigh ored 
philosophers, e er eati g together, ca ot e disti g ished fro detached phi- 
losophers ho er ell ight eat together. 

riti g y to de ote co c rre t e e ts a; a d y, o e a co str ct lockstep r s 



X X 

y y 
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here x a, d y de ote e e ts of detached philosophers {i = , 2 ,...). his 

orks icel for fo r philosophers. Ho e er, lockstep r s ca ot adeq atel 
represe t, for e a pie, a occ re ce of A hile a occ rre ce of C is folio ed 
a occ re ce of D. 



3.4 e e e t 

o o erco e the shortco i gs of seq e tial a d lockstep r s, o e a r 
the actio s A, E. or e a pie, A a e replaced three actio s A , A 
a d H , de oti g the philosopher a to pick p his adjace t forks, to eat a d to 
release his forks, respecti el . seq e ce egi i g A A B as the r led 

0 t, for o io s reaso s. 

I terlea ed a d lockstep r s co sisti g of re ed actio s co Id ore tr 1 
e press ca sal relatio s tha the a o e r s of re ed actio s ca . t s 

1 sist i the speci ers right to choose a a stractio le el at his co e ie ce. 
proper a to sol e the pro le as the se of rr t r s, to e co sidered 

e t. 

3. c rre t s 

e i trod ce rr t r s of the philosophers algorith o the a o e i tro- 
d ced le el of actio s A, . . . ,E. hose r s er ell alio to disti g ish the 

req ire e t of eigh ors ot eati g co c rre tl . raphicall , let 

\ / 

/ \ 

represe t the a o e descri ed actio A, ith i goi g arcs de oti g the forks of 
A ei g a aila le to H, a d the o tgoi g arcs de oti g the forks of H ei g 
released A. 

ig. the sho so e (o t of i itel a ) co c rre t r s of the philoso- 
phers’ algorith s: hilosophers a a d c start co c rre tl , folio ed b t ice 

i a ro . d acts after c, a d e after a a d d. 

3.6 c rre t eter i is 

o c rre t r s icel depict a hole ch of i porta t aspects of eha ior. 

rr t t r i is is o e of the : algorith is rr t t r i i 

sti if each i itial state ields t co c rre t r . s a e a pie ass e 

the a o e descri ed s ste of e philosophers, ith the additio al req ire e t 
of t i r: eigh ored philosophers alter ate se of their shared fork. 

ed i itial appoi t e t of each fork to o e of its sers the ields a 

iq e CO c rre t r . ig.9 a d ig. e e plif t o s ch dece t r s. ig. 
o tli es differe t patter s i those r s. 
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glue^ glue 2 

d c nt run ft p il s p rs s st 



3.7 c t tes i c rre t s 

he a o e e a pies of co c rre t r s co sist of occ re ces of e actio s, 
A,. . . ,E. irect s ccessio of t o s ch occ re ces, graphicall depicted e.g. 
C ^ D i ig.9 i plicitel i cl des a st t that descri es the co o fork 
of C a d D as ei g released C, apt to e picked p D. 
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glue ^ glue ^ 



B B B B 

X / X ^ X / X / X / 

c c c c c 

X X /' X X X X / 

: D D D , D . 

E E E E E 

/ X ^ X ^ X X X X 

A , A . A ^ A . 



/ 



/ 



/ 



'X 



glue 



glue 



furt r d c nt run ft p il s p rs s st 




iff r nt patt rns in t runs f ig. and ig. 



ocal states i co c rre t r s are freq e tl ch ore pro i e t: here 

are co c rre t r s that are esse tiall character! ed their local states, he 
r s of the sorti g algorith of hapter .7 ill strate this. 

ith xi de oti g the pair (x,i) co sisti g of ‘ sh x ith sticker i’, ig. 2 
ad ig. 3 sho tor s of the sorti g algorith . 
e e t is represe ted as 



\ / 



/ \ 
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a5 al 



bl b5 b2 




c ncurr nt run f distri ut d s rting 
a5 al 



bl b5 b4 b2 




furl r c ncurr nt run f distri ut d s rting 



ach e e t is a i sta ce of the actio of t o shes s appi g their stickers, 
he i ol ed shes a d stickers are i dicated the local states prese ted at 
the arcs start! g a d e di g odes, respect! el . 

3. Is here e re i c rre t s? 

he seq e tial a d co c rre t r s of a algorith are tightl i ter i ed: 

CO c rre tr , i.e. a partiall ordered set of e e ts, iq el de es a set of total 

e te sio of its order, his ields seq e ces of actio s. ach s ch seq e ce of 

CO rse is a seq e tial r of the algorith . he total e te sio s of all co c rre t 

r s are j st the seq e tial r s. 
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ice ersa, ca the co c rre t r s e deri ed fro the seq e tial r s? his 

depe ds o k o ledge a o t the i ol ed actio s’ s , the topic of the e t 

chapter. 

3. h rt ist r f c rre t s 

esearch i to co c rre t r s started ith [ ] as ell as [9] , s ggesti g ac die 
graphs ith odes de oti g e e ts a d arcs de oti g ca sal precede ce. etri 
i [ ] descri es ho to co str ct the co c rre t r s of co ditio - e e t s - 

ste s, the ost ele e tar class of etri ets. a port ad ocates co c rre t 

r si [ 2] , t re o ces the i [4]. o c rre t r s ha e ee s ggested 

for se eral ersio s of etri ets [ ] , [3] , a d other s ste odels [7]. he 

are e te si el e plo ed i [2 ]. he iss e has ee de ated i a electro ic 

disc ssio o the co c rre c aili g list, repri ted i [9]. 



4 c p cti s 

he s of a actio i cl des all aria les that the actio addresses, his 
otio is ot too i porta t for co e tio al algorith s. It is ho e er decisi e 
he CO e tio al algorith s are to e speci ed, co str cted a d a al ed. 



4. p e 

s a e a pie co sider t o i teger aria les x a d y, a da oolea aria le, 
z. et 



init = X := 0; z := true; y := 0 

rther ore, let 

X = while true do x := x + ; 

Y = while true do y := y + ; 

r gr = i it ; X || F 

he ea i g of the progra is o io s: i itiali atio i it is folio ed parallel 
e ec tio of X a d F. ith X a d F t i actio s, the seq e tial r s of r 
gr are all i ite ords w G {X, F} ith oth X a d F occ ri g i itel 
ofte i w. 

r gr has e actl o e co c rre t r , to e depicted as i ig. 4 
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z = true 

y= Y ^ 

c ncurr nt run f r gr 

4 . ri t 

s a aria t of the a o e progra , ass e the aria les x, y, z a d the i itia- 
li atio i it as a o e. 
rther ore, let 

X= while z do x:=x+l; 

V = while z do y := y + 1; 

a d 

r gr = i it; X |j F 

he seq e tial r s of r ad r gr coi cide. 

he CO c rre t r s of r gr depe d o the approach to readi g of aria le 

z, as disc ssed i hapter 2. o c rre t r s are ased o the ass ptio that 

readi g affects the aria le, as descri ed i 2.2. r gr the e ihi its i itel 

a CO c rre t r s. e of the ca e depicted as i ig. . 




c ncurr nt run f program 



4.3 id rg e ts 

s a f rther e a pie for the cr cial role of the scope of actio s, let x a d y e 
aria les o er so e do ai , A, a d let f : A ^ A e a f ctio . he se a tics 
of X := f{x), i a CO c rre t r ca e depicted as i ig. 6. 

I this g re, / de otes a e e t that tra sfor s the local state of x, act all 
X = n, i to the local state x = f{n), there ot to chi g the local state of y, 
gi e y = m. 
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x = n / X = f{n) 

y = m 

6 Occurr nc i x ■.= f{x) 

o , lei g : A X A ^ A e de ed g{a, a ) = f{a), i.e. the seco d arg e t 

of g does ot affect the o tco e of g. He ce, f{x) a d g{x,y) ield the sa e 

res It for all al es of x a d y. eplaci g f{x) g{x,y) does ot cha ge a 
res It of a seq e tial r 

he scope of f{x) is {x}, hereas the scope of g{x, y) is {x, y}. he se a tics 

of X := g{x,y} i a co c rre t r is depicted i ig. 7. 




7 Occurr nc i x ~ g (x,y) 

I this g re, g de otes a e e t that tra sfor s the local states of oth x 

a, d y, act all x = nadg = m, respect! el , i to the local states x = f{n) 

a d y = m. 

i g p, f{x) a d g{x,y) o Id ca se eq al effects i seq e tial r s, 
t differe t effects i co c rre t r s. 

4.4 eri i g c rre t s fr eq e ti s 

i g p the a o e o ser atio , co c rre t r s e plicitel respect, repre- 
se t a d e ploit the scope of actio s, hereas seq e tial r s do ’t. his ields 

differe t otio s of g i : he t o progra s of 4. ad 4.2 as ell as the 

a o e assig e t state e ts x := /{x} a d x := g{x,y} a e t all s - 

stit ted i seq e tial r s. he a ho e er ot e s stit ted i co c rre t 

r s, eca se the o Id cha ge the actio s’ scope. 

e are o prepared to ret r to the q estio stated i 3.7 a d state the 

propositio : 

rr t r s f g rit ri fr its s q ti 

r s if if t i ti s’ s is 
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r p r t tr ct r s 

I c siste t pd te 

t pical e a pie of i co siste t pdate as a - seq e ce (or ‘ lock’) 

for ed 



/(o) := b 
f {a) := c 



ith & ^ c. [ ] req ires co p tatio to stall i this case. [7] s ggests o deter- 
i istic choice. 

oth alter ati es ass ear ti e s ste or a glo al co troller or hate- 
er ea s to detect a d to a age this case i sta tl . istri ted algorith s 
pre e t this ki d of regi e, ho e er: If /(a) := 6 a d /(a) := c are co c r- 
re tl e ec ted t o differe t age ts, there is o ea s to detect i co siste c 
i sta tl . 



ge istri ted I c siste c ? 

tatic a al sis of a algorith a re eal that distri ted i co siste c e er 
occ rs. t i case it does occ r, it ca ot e detected i sta tl po occ r- 

re ce. He ce it ca either e pre e ted or treated i a partic lar a . o e 

st pro ide a fra e ork that o Id alio distri ted i co siste c to occ r. 

o io s choice for s ch a fra e ork ere r ti s, i.e. sets of pairs 

R Q A X B, ior sets A a, d B. f ctio / : H H is the co cei ed as the 

relatio / := {(a, /(a)) \a G A}, istri ted pdates /(a) := 6 a d /(a) := c 
o Id the e te d / (a, &) a d (a, c). 

he idea of relatio s is ot et satisfactor . s a e a pie, co sider three 

age ts A, B, C, co c rre tl e ec ti g /(a) := b, f{a) := c a d /(a) := /, 

respecti el . his o Id ot ield a deter i ed effect: It as o ecessar to 
e plicitel state the ele e t to e re o ed, i.e. to replace f{a) := f 
r (a,b) fr f or r (a,c) fr f. 

till, a diffic It re ai s. It ca e e e pli ed the e a pie of three 
age ts, A,B,C, co c rre tl e ec ti g f(a) := b,f{a) := b a d r (a,b) 

fr /, respecti el . his, agai , ields o deter i ed effect, here is a sol tio , 

ho e er: ith /(a) := &, A i serts o e ite (a, b) to /. ith the sa e assig- 

e t state e t, H i serts a other ite (a, b) to /. ith r {a, b) fr /, 

C re o es o e of those ite s. e o i g oth of the o Id req ire a other 
occ re ce of r (a, b) fr f. 

i g p, a data str ct re ca co c rre tl e pdated if it alio s for 
ti occ rre ces of ite s; the str ct re is to e a tis t o er a set M. hat 
Itisets are the adeq ate asis for datastr ct res of distri ted s ste , is ell 
k o for decades: Itiple occ re ces of ide tical toke s is a asis otio of 

etri ets. Itisets are like ise sed i the he ical stract achi eof[2]. 
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he set M is freq e tl a relatio or a graph of a f ctio ; it a e ordered, 
e eq ipped ith other operatio s or disti g ished ele e ts. It a e a atter 
of fact for a gi e algorith , that o ele e t occ rs at differe t locatio s at the 
sa e ti e. e ertheless, a fra e ork is req ired to capt re the case of Itiple 
occ rre ces. o this e d e s ggest t o i ersal operatio s for all Itisets 
o er so e set A, a d a G A: 
i s rt (/, a) 

is al a s e a led a d i serts a other ite a to f; 
r if, a) 

is e a led if there e ists at least o e ite a i /; occ rre ce of r (/>a) 

the re o es a fro /. 

oth these operatio s a occ r co c rre tl . ice ill stratio as a large 

ffet ta le ith se eral aiters i serti g plates of food ad a die ts, re- 

o i g the plates fro the ffet ta le. 

he ffet paradig does ot i pi , ho e er, that the ost ge eral case 
of Itisets al a s applies, he str ct re of a algorith a g ara tee that 

ad a icall cha gi g data str ct re al as eets disti g ished properties. 

picall , ite s a act all occ r at ost o ce; the a co sist i pairs of 
ite s that for a tree, or are right iq e (i.e. for a partial f ctio ), etc. 

e total f ctio s ca e gai ed help of a operator t (/, a, b, c) that 

CO sists of r {f,{a,b)) a, d i s rt (/, (a, c)). 
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loo at so sourc s o ins curit and difficult in r a- 
soning a out partiall ord r d runs o distri ut d s, and propos 
so t c niqu s to acilitat sue r asoning. s a cas stud , prov 
in d tail corr ctn ss and d adloc - r do or g n ral partiall ord r d 
runs o distri ut d od is o a port’s a r Igorit 



tr ucti 

istri ute s [4] is a ge eral co curre t mo el of multi-age t computatio . 

It as i te e i ge erali atio of its more limite precursors [ 3] to alio 
as muc CO curre c as logicall possi le. It oug tee itio as ee i 
pri t for several ears its otio of partiall or ere ru s as remai e largel 
u e ploite i its ge eralit — most of its uses i t e literature ave recourse 
to some ki of speciali atio to li ear time iscrete or co ti uous. e ge eral 

partiall or ere ru s seem to e some o ifficult to a le a to reaso 

a out . 

part from eepl e grai e i tuitio s of li ear time e feel t at some 
rat er tec ical sources of t is ifficult ca e etecte . 

eque tial ru s [4] ave t o properties ic greatl facilitate reaso i g. 

ver move is e ecute i a ell- e e state. 

2. ‘ ter al’ (or ‘mo itore ’ cf. elo ) c a ges ca e locate i time a 
t oug t of as actio s tee viro me t. e e viro me t t us ecomes 
just a ot er (t picall implicit) age t ose e aviour ca e speci e i 
eclarative terms. e ju icious splitti g of amics to a part give t e 
program a a part t at ca e speci e eclarativel is a atural a to 
separate co cer s a to a stract i s. 



I a partiall or ere 


ru 


eit er 


of t e a 


ove properties ol i ge 


eral — a 


(glo al) state i ic 


a 


move is 


e ecute 


is i 


ge eral 


ot u iquel 


e e 


a it is ot at all clear o to locate e ter 


al c 


a ges i a 


partial or er. ese 


seem to e importa t 


sources of 


i securit 


a 


ifficult 


i reaso i 


g a out 


partiall or ere ru s. 
















is r ar is not li 


it 


d to t 


cont t- 


— ost or 


al t ods 


od lling 


concurr nc t nd to 


all 


ac , on 


a or anot 


r, to so 


ind o int 


rl aving, 


s qu ntial s antics 
















ur c a . ( ds.) 






pp. 


_ 








© pr g r- r ag r 


d 


rg 














32 
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e a ress ot issues ere evelopi g some tec iques to salvage as 
muc of properties .a 2. as ee e for partiall or ere ru s. I or er to 
CO vi ce t e rea er t at it sue mea s o trivial reaso i g a out partiall 
or ere ru s is feasi le e o it: as a case stu e appl t e tec iques to a 
o trivial correct ess proof. e case stu also emo strates t at t e proper 
setti g for a al sis of co curre t algorit ms i volves trul co curre t ru s — 
mappi g to li ear time ma ell miss some importa t poi ts. 

I sectio 2 e e uce some simple co seque ces of t e co ere ce co itio 
of [4] provi i g sufficie t co itio s for moves i a istri ute ru to ave at 
least a sig i ca t portio of state ell- e e e t e e ecute. is largel 
reco structs proper! . for partiall or ere ru sofma istri ute programs. 

I t e same sectio e i tro uce ‘e ter al c a ge’ i form of ‘mo itore ’ mo- 
ves u k o age ts it u k o programs locate e actl i t e partial 

or er. is is a e te sio of t e sta ar practice (of avi g ‘t e e viro me t’ 
as a si gle t picall implicit u k o age t) reco structi g largel proper! 
2. for partiall or ere ru s. 

I t e rest of t e paper e e plai a o trivial correct ess proof for partiall 
or ere ru s: e prove i etail correct ess a ea lock-free om of ( istri ute 
mo els of) amport’s aker Igorit m [6]. e procee o t ree iffere t 

a stractio levels t ere. e a stractio level of our primar mo el B corre- 

spo s precisel to t at of amport’s algorit m — t e part speci e eclarativel 
is e actl at amport’s algorit m oes ’t e e. ig er level escriptio 

of t e mo el B alio s us to e uce correct ess a ea lock-free om from 

a stract properties so to ol of S . lo er level escriptio of t e mo- 

el ,8 is a so to impleme t programaticall e actl all e aviours 

alio e B . 

go orger a e rote a out t e aker Igoirit m earlier; see [2] ere 
a correct ess proof as give for mo els of t e aker Igorit m it ru s 

em e e i co ti uous li ear time, ur e mo els a proofs are similar to 

t ose of [2] ut t e are also iffere t. e proofs of [2] rel esse tiall o 
CO ti uous li ear time, s e ill see later (see sectio 7) certai i formatio 
a out partiall or ere ru s is o fuscate i li ear ru s. Here e remove t e 
li ear time crutc es a ork irectl it partiall or ere ru s. si [2] 

e orro i eas from [6] a [ ]• I or er for t e paper to e reaso a 1 self- 

co tai e e spell tee tire co structio out i full. 



r i i ri s 

e presume t at t e rea er is familiar it [4]. o si er a o e-age t program 

7T a let / e a asic fu ctio of tt ic is amic so t at t e values of / 

ca c a ge i ru s of tt. go orger suggeste to use for s t e folio i g 
termi olog orro e from ar as. f is c ntr if o 1 tt ca c a ge it. / is 
nit r if o 1 t e e viro me t ca c a ge it. / is shar if ot tt a t e 

e viro me t ca c a ge it. (I [4] co trolle fu ctio s ere calle i ter al a 

mo itore fu ctio s ere calle e ter al.) 
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e termi olog e te s aturall to a multi-age t program U. et X e 
a set of age ts of U. amic asic fu ctio / is co trolle X if o 1 

age ts i X ca, c a ge it. / is mo itore if o e of t e age ts i X ca 

c a ge it. e termi olog also e te s to particular locatio s rat er t a ole 
fu ctio s. 

2 rti r r us 

e rel o t e otio of partiall or ere ru of [4] . 

is mea s t at e s all co si er partiall or ere sets of moves it t e 

‘ ite istor ’ propert : {y : y < x} is ite for all a; ( e s all refer to t e 

or eri g relatio < usi g also <,>,>). ac move is performe a age t 
a si ce age ts are seque tial moves o e age t form a seque ce; si ce t ere 

are itel ma age ts all a tic ai s are ite. 

(glo al) state a{I) is associate it ever ite i itial segme t / (a 
o ar s close ite su set) of a ru resulti g from performi g all moves i 

/ so t at if s < 1 1 e s is e ecute earlier t a t. I particular if / is t e empt 
segme t t e a{I) is t e i itial state of t e ru . 

si g a partial or er implies t at moves s,t ma e co curre t i.e. i com- 
para le: eit er s < t or t < s ol s. e glo al state ‘result! g’ from a move 
is t e i ge eral ot u iquel etermi e . It epe so at glo al state e 
see asteoei ic te move is performe . us states are su ject to a 

CO ere ce co itio [4] ic alio s us to give t e folio i g e itio s. 

et ost(t) e t e set of all ite i itial segme ts i ic a move t is 

ma imal a let a e t e age t performi g t. or eac I G ost(t) t e state 

cr(/) is t e state o tai e e a e ecutes its program i t e state a(I \ {t}) 

‘ e glo al state’ i ic a move is performe is also ot i ge eral u iquel 
e e . et re(t) = {I \ {tj : I € ost(t)}. everal iffere t states are t us i 
ge eral associate it re(t) ic makes reaso i g a out partiall or ere 
ru s some at ifficult. e co ere ce co itio ma o ever as e s all see 

elo impose t at some term as a u ique value at all states I G re(t). 

I or er to e press sue requireme ts sued ctl e e te term valuatio 
from states to some statesets sa i g t at 

al r (o(w) = 1^ ^ 

t u ef if o sue value e ists 

ere t is a move i a istri ute ru al 5 (u) is t e value of term u i state 
S' [4]. e s all ofte s orte al ^ (t)(u) to u r (t)- e t e value of m r (*) 
is give t e rst clause i.e. e t ere is a c sue t at VI G re(t) (c = 
alcr(/)('*^)) e s all sa t at u ^ (t) is in is ta (or t at its value is i is- 

puta le). otice t at a i isputa le value ma also e u ef ut e ever 

u r (t) ^ u ef t e its value is i isputa le. 

or future refere ce let us ote some imme iate properties of re(t). 

act . t t a in a artia r r r n. h s t r {t) has th f 

in r rti s. 
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r (t) has a ini a nt mi r {t) = {s \ s < i\ an a a i a 

nt ma r {t) = {s : s ^ i}. 

r {t) is th s t fa initia s nts I s eh that mi r (f) C I C ma r (i) 

an is h nc c s n r ni ns an int rs cti ns. 

3. t s an th r . h f in ar q i a nt 
(a) s is c nc rr nt ith t. 

() mi r (s) U mi r {f) is an initia s nt that n s t r (s) fl 
r (t). 

(c) r (s) n r (t) 7 ^ 0 . 

( ) hr ist I,J G r (t) ith s G I \ J . 

tateme t 3 ma ee a argume t. e prove t at (a) implies ( ) implies 
(c) implies ( ) implies (a). 

(a) implies ( ). ssume t at s is co curre t it t a let / = mi re(s) U 

mi re(t). learl / is a i itialsegme t. eckt at mi re(t) C / C ma re(t) 

so t at / G re{t). s mmetr / G re(s). 

( ) implies (c). rivial. 

(c) implies ( ). ssume t at re(s) n re(t) 7 ^ 0 a let J e a mem er 
of re(s) n re(t). et I = J U {s}. learl IG re(t). 

( ) implies (a), uppose t at /, J G re(t) a sGl\J.lfs<tte 
s G mi re(t) C J so t at s G J ic is impossi le. e ual argume t s o s 
t at s > t is impossi le as ell. 

e s all sa t at a move t (i a give partiall or ere ru ) a chan 

t e value of term u if for some I G re(t) e ave alo-(/)(M) 7 ^ 81^(1 t ){u) 

(equivale tl if t c a ges t e value of u i some li eari atio of t e ru ) . If t e 

a ove ol s for all / G re(t) (equivale tl if t c a ges t e value of u i all 

li eari atio s) e s all sa t at t st chan t e value of u. 

ecall t at a li eari atio of a partiall or ere ru is a ru it t e same 

moves a a li ear or er e te i g t e give partial or er. It as ote i [4] 

t at i vie of t e co ere ce co itio all li eari atio s of a ite ru ave 

t e same al state. 

a . ake for i sta ce t o age ts a, b sue t at a e ecutes t e program 

X := 1 

a be ecutes t e program 

if mode = first then 
mode ;= second 

y := 1 

endif 

if mode = second then 
y := ma (x,y)+l 
mode := final 
endif 
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0 assume t &t x = y = , mo e = rst i itiall a co si er a ru it a 

move s of a co curre t it t o co secutive moves t ,t of b. e ot s a 

t ma ut ot must c a ge t e value of ma (x,y) ile t must c a ge it. 

I t ese terms e ave 

a . If u (^t) is n t in is ta th n th r is a sc nc rr nt ith 

t hich a chan u. 

r f. ssume t e co clusio is false t at o move co cure t it t ma 
c a ge u. o go from cr(mi re(t)) to a(I) act e ave to e ecute o 1 
some moves co curre t to t o e of ic ma c a ge u. us alo-(/)(u) = 

re(t))(“) for all I € re(t) a m ^ (t) is i isputa le i co tra ictio 

to t e premise. □ 

a 2. If th r is sc nc rr nt ith t hich st chan u th n 

u (t) is n t in is ta 

r f. i ces,tareco curre t act t ere is a i itial segme t/G re(s)n 

re(t). e ot / a / U {s} are i re(t) a si ce s must c a ge u t e 

ave iffere t values of m. □ 

e s all sa t at a term u is f c s (i a give ru ) if a move ic ma 

c a ge its value also must c a ge it. or a focuse term u it is u am iguous 
to sa t at a move c a ges t e value of u. I ma cases t e proper! of ei g 

focuse ill e o vious from t e programs. Here e ill also use t e folio i g 

lemma. 

a . If th a f a t r a n chan a sin a nt th n 

th t r is f c s . 

r f. uppose t at w ma e c a ge o 1 age t a a t at t is a move 

a. It suffices to s o t at m ^ is i isputa le si ce t e u s (t) is also 

i isputa le a is iffere t from m ^ (t) iff t c a ges u. o see t at m ^ (t) 

is i isputa le ote t at t e age ts i volve i all moves co curre t to t are 

iffere t from a a t e premise o e of t em ma c a ge u. e lemma 
u r (t) is i isputa le. □ 

utti g t e a ove lemmata toget er e ave 

act 2. If t r u is f c s th n u (t) is in is ta iff t c ar s in th 

1 n artia r r ith a s chan in th a fu. 

e a ove e ample s o s t at t e assumptio of focus ca ot e roppe for 
o e irectio of fact 2: ma (x,y) r (^ ) is i isputa 1 a t is co curre t to 

s ic ma c a ge t e value. e ice proper! t at ever locatio is c a ge 

o e age t o 1 oes ot elp it t e term ma (x,y). ote also t at fact 2 

is useful for ‘cou ter’ up ates like c := c+ ; if c is c a ge o 1 i sue a a 
eve CO curre tl t e it is focuse . 




36 



Y. ur vie and . os n ig 



act . If th a s f u (t) u (g) th in is ta t iff r nt 

th n s < t r t < s. 



r f. ssume m j. (t) a u ^ are ot i isputa le a s a t are co - 

curre t. e t ere is a i itial segme t / G re(s) n re(t) a u r (s) = 

alCT(/)(w) = M r (*)• 0 

ovelt of t is paper is i alio i g a ru of a multi-age t program II 
to ave ‘mo itore moves’ t at is moves of u k o age ts. e ave some 

k o age ts it k o programs. e moves of t ese age ts are e itio 

c ntr 

I a itio t ere ma e some um er of u k o age ts ose programs 
are u k o as ell. eir moves are e itio nit r . 

amic fu ctio oi II or a locatio ill e calle co trolle if it is 
CO trolle t e k o age ts. 

It ill e calle mo itore if it is mo itore t e k o age ts. 

e prese ce of u k o age ts is co siste t it [4] eve t oug t e sta - 

ar practice as ee so far to assume t at all e plicit moves elo g to k o 

age ts it k o programs t oug t e active e viro me t coul make some 

implicit moves. 

e moves tee viro me t o ecome e plicit a t e u ique mo i- 

tore age t of sta ar practice ‘tee viro me t’ is o alio e to split to a 

um er of possi 1 iffere t u k o age ts. 

e total um er of age ts i volve i a give state is still ite. e 

CO ere ce co itio applies to all moves co trolle or mo itore (eve t oug 

e ma ave o irect a to verif i sta ces of t e co ere ce co itio t at 

i volve mo itore moves). erefore facts 2 a 3 remai vali . 

e prese ce of mo itore moves alio s us to separate co cer s a to a - 

stract. arts of t e algorit m ca e formulate i form of more or less ecla- 

rative stateme ts a out mo itore moves i ru s ( ic lurs to a e te t t e 

isti ctio et ee t e algorit m a its e viro me t). 



p rt’s rit 

or ar itrar ut e let P , . . . , Pn e processes ( e s all also talk a out 
‘customers’) t at ma a t from time to time to access a ‘critical sectio ’ 

of CO e. mutual e clusio protocol — ic eac Pi is suppose to e ecute 
i or er to e ter t e critical sectio — as to preve t t o processes from ei g 
i t e critical sectio simulta eousl . e aker Igorit m provi es eac Pi 
it a (s are ) register a a (private) arra n[ ],..., n[A^] ol i g atural 
um ers. 1 Pi is alio e to rite to Ri ut ever process ca rea t e 
register. e assume eac register to e i itiali e it value . 

e algorit m as prese te amport it t e folio i g piece of pseu- 



oco e. 
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t rt 

n[i] := 1 
write (Ri ,n [i] ) 

r 

for all i^i, read(Rj ,n [j] ) 
i t 

n[i] := + ma ^nCj] 

write (Ri ,n [i] ) 

it 

for all j^i, repeat 
read(Rj ,n [j] ) until 

n[j]=0 or n[j]>n[i] or (n[j]=n[i] and j>i) 
riti I ti 
i I 

Ri := 0 

e aker Igorit m is ivi e i to si co secutive p ases: start r a 
tic t assig me t ait sectio critica s cti n a, fina . 

o eclare its i terest i accessi g t e critical sessio a process Pi rites 
i to arra varia le Ui a t e posts t e ritte value i its register. 

I t e oor a sectio Pi copies all t e ot er registers i to its arra . It 

t e computes a tic t ic is t e least i teger greater t a all i tegers i its 
private arra rites t e ticket i to rii a posts t e ritte value i its register. 

uri g t e su seque t ait sectio process Pi keeps rea i g i to its arra 
t e registers of eac ot er process Pj u til t e result! g arra value n[j] = or 
n[j] > n[i] or n[j] = n[i] A j > i. 

e mea i g of t e co itio is t e folio i g: if n[j] = t e Pj is ot 

i tereste i e teri g t e critical sectio a it as o rig t to lock Pi. If 

n[j] > n[i] > t e Pi as a smaller ‘ticket’ a as t e rig t to go efore Pj. 

e last clause resolves t e case of t o customers o tai i g t e same ‘ticket’: 

t e o e it smaller i e ti er goes rst. ote t at or eri g pairs of positive 

i tegers le icograp icall : 

(i,j) < (k,l) < — > [i < k or {i = k a j < Z)] 

o e ca rite t eu til co itio as folio s: [j]= or ( [j]j)>( [i] i). 

ce permitte to go Pi e ters t e critical sectio . po leavi g as 

ale Pi sets its register to . 

ote also t at t e for-all comma si t e oor a a t e ait sectio ma 
e e ecute i ma a s i various seque ces all at o ce co curre tl etc. 

It ma e ort me tio i g t e folio i g. e process rst rites i to n[i] 

a t e posts t e ritte value at Ri. viousl it coul o t e t o actio s i 

t e reverse or er. I tuitivel t e or er et ee t e t o actio s is immaterial 
ut t e seque tial c aracter of t e pseu o-co e imposes o e. 
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4 ri r : 

e oor a sectio i amport’s program oes ot give us a i icatio o 

customer i is suppose to perform rea i g. oul it rea t e registers Rj i 
t e or er give t e i ices i t e reverse or er? oul it get elp a use 

vassal age ts o e per eac Rj ? ere are ma ot er possi ilities. o reflect t e 

situatio i proper ge eralit our primar mo el B i clu es o rea i g 

i structio s atsoever. I stea e ill require t at ru s of S satisf certai 
provisos t at guara tee t at rea i g is performe . 



r ra f 



e as o 1 o e program use all customers ic as ve rules. e 

arra A(X,Y) represe ts t e arra n\Y\ of t e program private to customer X. 

e assume t at i itiall all registers ave value all customers are i mo e 
satis e a all eleme ts of t e arra A(X,Y) are u ef. e assume t at t e 
i e ti ers of t e customers are isti ct atural um ers < N. aria les X, Y 
ill ra ge over customers. 



t rt 

if mode (me) 
A(me ,me) 



= satisfied then 

:= 1, R(me) := 1, mode (me) := doorway 



t 



if mode (me) = doorway and VY yf me (A(me,Y) undef) then 
A(me,me) := + ma yA(me,Y), R(me) ;= + ma yA(me,Y) 

mode (me) := wait 



tr 

if mode (me) = wait and 

V Y yf me (A(me,Y)=0 or (A(me , Y) , id(Y) ) > (A(me ,me) , id(me) ) ) then 
mode (me) := CS 



it 



if mode (me) = CS then 
mode (me) := done 



if mode (me) = done then 

R(me) := 0, mode(me) := satisfied 
V Y 7 ^ me A(me,Y) := undef 
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.2 a tics f 

e oul like to assume t at i a mo e ifTere t from atisfi o custo- 
mer stalls forever; eve tuall it makes a move (provi e a move is co ti uousl 
e a le from some time o ). 

i ce i s e ave o e plicit otio of a move (or program) ei g 

e a le a i partiall or ere ru s e ave o e plicit otio of time ot 

‘e a le ’ a ‘co ti uousl from some time o ’ ee e itio s. 

ere are too vious ca i ates for t e otio of a program ei g e a le 
i a state. e is ase o t e i tuitio t at a program is e a le if it ‘gets 

o to up ates’ i.e. ifi t e give state it ge erates a o empt set of up ates. 
e ot er possi ilit is t at it reall c a ges t e state i.e. t at t e up ateset is 

0 empt a also o trivial, e are app to si estep t e issue ere si ce for 

all programs of t is paper t e t o otio s ill coi ci e — e ever a o emtp 

set of up ates is ge erate it ill also e o trivial. us e ca sa t at a 

program is e a le i state a if it pro uces a o empt set of up ates i a. 

e sa t at a age t X stalls forever i a ru if (a) X as a last move sa 

t a, ( ) after t a move X (t e program of X) is eve tuall al a s e a le 

(i all cr(J) for J D / for some i itial segme t I B t). 

e t us assume 

r r ss r is . o customer i mo e ot er t a atisfi stalls forever. 

e CO si er t e ru s of ,8 co tai i g e a le moves customers e ecuti g 

t eir programs su ject to t e rogress roviso a also some mo itore moves. 

ur e tire k o le ge a out mo itore moves ill e e capsulate i e plicit 
requireme ts 2 elo . 

e o e e i tervals c aracteri e t e successive e ecutio s a 
process X of its rules t rt i t tr it i I (also i a partial or er e 

refer to ope i tervals (a,b) = {x : a < x < 6}). 

iti . s a is th f X c tin t rt r an b is th 

n t X ( hich has t c t th i t r ). 

h n th int r a x = (a, b) is a oor a f X an a = t rt{x),b = 

1 t(x). Ifb is th ast c ti n f X th n th ait i terval W{x) = {t ■. t > b} 

is inc t an th i terval {x) is n fin . s that c is th n t 

f X aft rb (n c ssari c tin tr r ) d is th n t f X aft r 

c (n c ssari c tin it r ) an e is th n t f X aft r d (n c ssa 

ri c tin i I r ). h n W{x) = (b,c) an {x) = (c,d) c= tr (x) 
d = it(x) e = i I (x). 

rogress roviso a requireme t elo ever oor a is complete 
i.e. eac e ecutio of t rt is folio e e ecutio of i t. o is ever cri- 
tical sectio i.e. eac e ecutio of tr is folio e e ecutio s of it (a 
su seque tl i I ). 
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e program of customer X rites to locatio s mo e{X), R{X), A{X,Y) 
ere locatio s A{X, Y) it Y ^ X are o 1 clea e up (t at is set to u ef) 
X (i i I ) a some o else rites more mea i gful i formatio i to 
t ese locatio s. 

ur program covers all ut t e rea i g actio s. i ce our e itio s o ot 

alio ‘partiall k o programs’ i.e. a co trolle age t ca o o more t a 

at is program i structs im to o more mea i gful values ave to e ritte 
t ere tee viro me t i.e. some o else. 

e assume t at locatio s mo e{X) , R{X) , A{X , X) are also co trolle 

i.e. t at o ot er (k o or u k o ) age t ma rite t ere. is is justi e 

amport’s algorit m: ot er customers as ell as t e e viro me t ave o 
usi ess riti g to mo e{X) , R{X) , A{X , X) . 

is assumptio implies t at R{Y) is focuse for all customers Y a 
t e program a fact 2 for all moves t \ a ru of ,8 

r liar . R{Y) p) is in is ta iff t c ar s t a t rt, i t an 
i I s f . 

o avoi repetitive case isti ctio s for customers ic ( ei g satis e ) 
ave register a of customers ic appe to receive t e same ticket e 
i tro uce t e folio i g otatio . If / is a fu ctio from customers to atural 
um ers let 



f m = + ' > ’ 

^ \oo, ot er ise. 

et X, Y ra ge over customers a x,y over oor a s of customers X, Y 
respective! . 

e a reviate + ma yA(X,Y) r( i (a;)) as T{x). 
e eclarative requireme ts sa i g at rea s ee e o e are t e ( it 
X ei g a ar itrar oor a of customer X) 

ac e ecutio of t rt X completes to a oor a x. or eac x for eac 
Y X t ere is a move b € x sue t at A(X, Y) ^ ( i (x)) = R{Y) r (b) 

(t us T{x) > R{Y) r p) ^ u ef). 

If W (x) is complete t e for eac Y X t ere is a move b € W(x) sue 

t at R(Y) r (b) = A(X, Y) , ( , ( )) (t us T (x) < R (Y) r (6) u ef). 

2 If W{x) is i complete t e for some Y X i ere is a i ite c ai 

b < b < • • • of moves i W{x) sue t at for eac n R (Y) r (b ) < R (^) 

(t us also R(Y) j. p ) ^ u ef). 

tells us t at t e value of R(Y) appear! g i t e arra at i t(x) is 
rea i x. sa s t at a permissio to go is o tai e e ecuti g for eac 
Y a successful rea i W (x) ile 2 tells us t a,t X ma e preve te from 



[4] t official notation or t s locations is ( od , Y), (i?, Y), (^, (X, Y)); sine 

in t si pi cas s occurring in t is pap r, no a iguit a aris , s all us t 

applicativ t r notation as a ov also or locations. 
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goi g o 1 e ecuti g for some F ^ X a i ite seque ce of u successful 
rea si W{x) ere a rea 6 G W(x) from R{Y) o e alf of X is successful 
if i? (Y) r (b) > T (x). It tur s out t at a 2 is all t at e ee to 

k o a out rea i g actio si or er to prove correct ess a ea lock-free om 
of B . 

equireme ts a sa t at for eac Y t ere is a move b{Y) i x 

respective! W (x) avi g some proper! . emark t at it out loss of ge era- 

lit e ca assume t at t ese moves 6(F) are all isti ct. uppose amel t at 

i or e ave 6 = 6(F ) = ••• = 6(Ffc). e e ca replace 6 it fc 

isti ct mo itore moves ic ite partial or er folio a prece e e actl 
t e same moves as 6 oes. It is eas to see t at t is replaceme t leaves us it 
a legitimate ru it e actl t e same partial or er of customers’ moves, 
remark of t e same ki applies also to seque ces of moves claime 3 ut 

e s all ot ee t at case. 

e rea er familiar it [2] mig t otice t at at i similar requireme ts 
t ere ere temporal co itio s o some mo itore locatio s takes ere (a i 
t e e t sectio ) t e s ape of co itio so e aviour of u k o age ts. e 
role of some time mome ts i proofs of [2] t us tur s out to e t at of place 
ol ers for mo itore moves. 



rr ct ss c r : 

e e e a e pressi g a ‘ ig er level’ vie of t e aker Igorit m 

similar to ,8 ut it t e arra a stracte a a . e releva t atum to e 

escri e a stractl is t e tic t assig e to a customer X (a ritte i to 

its register R{X)) e X leaves t e oor a a e ters t e ait sectio . e 

i tro uce for t is purpose t o mo itore fu ctio s oolea value ea a 

i teger value T e pressi g respective! rea i ess of t e ticket a its value. 

e releva t mome t to e a al e is t e mome t at ic a process it 

a ticket is alio e to e ter t e critical sectio . is ‘permissio to go’ ill also 

e represe te a mo itore fu ctio o. 

e ill impose requireme ts o tee viro me t a mo itore moves re- 

spo si le for t e values of ea T a o ic ill e s o to guara tee 

t e correct ess a ea lock-free om of t e ig er level B . e ill t e 
so t at t ese requireme ts are correctl impleme te i 8 . 



r ra f 



t rt 

if mode(me) = satisfied then 

R(me) := 1, mode (me) := doorway 
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i t 

if mode (me) = doorway and Ready (me) then 
R(me) ;= T(me), mode(me) ;= wait 

tr 



if mode (me) = wait and Go (me) then 
mode (me) := CS 

it 



if mode (me) 
mode (me) 



= CS then 
: = done 



if mode (me) 
mode (me) 



= done then 

:= satisfied, R(me) := 0 



.2 a tics f 

e B is similar to t at of S e cept for t e fact t at t e arra is go e. 
I particular e assume t e rogress roviso (for k o age ts i.e. customers). 

e role of t e arra is take over t ree mo itore fu ctio s ea T 
a o. ooki g at ea (X) a T{X) ca e see as sta i g for t e 

a reviatio s use t ere ile o(X) ca e i terprete as t e guar of t e 
tr rule VF ^ X{A{X,Y) = or {A{X,Y),id{Y)) > {A{X, X),id{X))). 

e B provi es o ever o mea s to compute ea T a o. 
ur rst requireme t sa s t at ever i tereste customer eve tuall o tai s 
is ticket: 

ac e ecutio of t rt a customer X completes to a oor a, x. or 
eac X t e value T{X) ^ ( j ( )) is i isputa le. 

e i isputa le value of T{X) j. ( ; ( )) ill e like efore e ote 

T{x). I or er to e press t e rest of our co itio so t e arra i terms of T 
a o e ee some a itio al otatio a termi olog . 

or ope i tervals i a partial or er e also use (a, b) < (c, d) if b < c 

a sa t at t e t o i tervals are co curre t if eit er 6 < c or d < a. ote 

t at CO curre c oes ot ecessaril impl overlap i.e. e iste ce of commo 
eleme ts; it i ge eral just alio s it. 

ometimes e s all also compare eleme ts it i tervals: c < (a, 6) if c < a 
like ise for >. 

is or eri g ill elp us to formal! e t e i ea t at tickets i crease toget er 
it oor a s (see 2 elo ). is s oul also appl i a a to co curre t 

ot o V r t at, i int rvals ar int rpr t d as int rvals on t partial ord r o 

initial s g nts, it (a, b) containing all s g nts containing a ut not b, t n 
concurr nt int rvals ind d ov rlap. 
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oor a s; t ese are or ere t e folio i g relatio ^ orro e from its li ear 
or er a alog of [ ]. 

et X ^ y a let a;,y ra ge over oor a s of X, F respective! . 

iti 2. x<\y ifx an y ar c nc rr nt an T (x) < T (y). rth r x ^ y 
if X <\y r X < y. 



a . X ^ y r y < X. 

r f. ote t at T (y) ^ T (x) for X ^ F ile t o oor a s of t e same 
customer ca ever e co curre t. □ 

ur ot er co itio s are t e 
T{x) is a positive i teger > . 

2 If y < X t e eit er i I (y) < i t(x) or T (y) <T (x). 

If W{x) is complete t e for ever Y ^ X t ere e ists a move b G W{x) 
sue t at r (x) < i? (F) r ({,) (t us -R(F) j. ^ u ef). 

If IF(x) is i complete t e t ere is a y ^ x it IF(y) i complete. 

I tuitivel 2 sa s t at tickets respect t e temporal prece e ce of oor a s 

it CO curre t ait perio s 4 is a i uctio pri ciple a 3 e presses 
t at permissio to go is o tai e c ecki g t e ticket agai st competitors’ 
registers. 2 (toget er it ) is easil see to e a a stract versio of 3 
is a a stract versio of ile t e fact to e prove elo t at 4 folio s 

from 2 toget er it is t e esse ce of ea lock-free om for t e aker 

algorit m. 

imme iate co seque ce of 3 is ite co curre c of oor a s: 
r liar 2. h s t f r a s c nc rr nt t an in r a is finit . 

r f. et X < X eto oor a s of X ot co curre t to y. 3 applie 
to X t ere is a move b it x < b < x . i ce R(Y) ^ (b) is i isputa le 
corollar b compares to ot e s of y; & < t rt(y) oul impl x < y 

ile & > i t(y) oul impl y < x ot co tra icti g t e assumptio of 

CO curre c . us b G y. ut ite istor t ere ca e o 1 itel ma 

sue 6’s. □ 

rr ct ss a d air ss f 

a . irst s, irst r d) If y x an W{x) is c t 

th nW{y) is c t an (y) < (x). 

r f. ssume t e premise is satis e a t e co clusio is false i.e. t at t ere 
is o move i I (y) < tr (x). ake b as give 3. 

lai :T{y)<T (x). 
lai 2 : i t(y) < b. 
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ive t e claims e ave T (y) < T (x) < R (F) r (6) 7^ u ef a t us F 

must e riti g to R{Y) a move i ( i t{y),b). ut t e rst sue rite 

after i t{y) must e a i I move ic co tra icts t e assumptio t at 

t e CO clusio of t e lemma is false. 

laim folio s imme iatel from e itio of i case of co curre c a 
from 2 ot er ise. 

o prove laim 2 e rst ote t at 6 is compara le to ot e s of y a 

i vie of y X b < t rt(j/) is impossi le. It also impossi le t at t rt(y) < 

b < i t(y) si ce t e R{Y) ^ (f,) = ic co tra icts tec oice of b. □ 



a 6. ^ is transiti . 

r f. CO tra ictio . uppose x y z x. outte um er n of <’s 

i tea ove seque ce of ^ sig s. I case n = t e stateme t folio s from t e 

fact t at t e or er of i tegers (tickets) is tra sitive a i cases n = 2 , 3 t e 
stateme t folio s t e fact t at t e partial or er < of ope i tervals i a partial 
or er is tra sitive. I case n = s mmetr e ma assume x <l y <\ z < x 

a t erefore T (x) < T (y) < T (z). ive t e assumptio x < y z x 

emma if o e of t e aiti g sectio s is complete t e so are t e ot er 

t o a e ave (x) < (y) < (z) < (x) ic is impossi le. o all 

t ree aiti g sectio s must e i complete. us e ca appl 2 to o tai also 

T (z) <T (x) ic is impossi le. □ 

a 7. adl c fr d ) r W{x) is c t . 

r f. corollar 2 (a ite istor ) ^ is ell-fou e . e 4 is precisel 

t e i uctio pri ciple require to esta lis t e claim. □ 

is sectio is summari e i t e folio i g 

r . r a s ar in ar r r aitin s cti ns ar c 

t an X ^ y i is (x) < (y). 

I pi ts rr ctl 

e c eck t at t e requireme ts are satis e i B (i.e. folio from 2) 

ere ea (X) = (VF ^ X{A{X,Y) 7^ u ef)) T{X) = + ma y A{X,Y) 

a o(X) mea s t at t e co itio of t e rule tr is satis e . 

is e force requireme t a t e rogress roviso for B . 
is satis e si ce t e ma imum i t e rule i t is take over all F 
i clu i g X ic at t at mome t as register value R{X) = . 

2 . ake b as give . i ce R{Y) j. ({,) is i isputa le t e move b com- 
pares to all t rt i t a i I moves of F. it i t{y) < t rt(a:) < b 

it is mea i gful to ask et er F e ecutes t e i I move i ( i t( ), ). If 
it oes e are o e; if it oes ’t R{Y) ^ (f,) =T{y) a, T (y) < T (x). 

3 folio s imme iatel from 
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4. CO tra ictio suppose t at t e premise is satis e ut t e co clusio 
is false i.e. W{x) is i complete ut W{y) is complete for all y < x. et F a 
b < b < ■ ■ ■ e t e customer a t e seque ce of moves as give 2. 

lai : ere is a move 6 G W{x) it R{Y) j. ^ u ef sue t at t e 

folio i g t o properties ol for eac y. 

(i) 6 > i t{y) (ii) ify^xte b> i I (y). 

irst e erive t e esire co tra ictio from t e claim a seco e prove 
t e claim. 

o suppose t at t e claim is true a let 6 e as i t e claim. e R{Y) ^ (t) 
as a i isputa le value a 5 t us compares to all moves of F t at c a ge 

R{Y). at is t e value of R{Y) i re(6)? e ave t o possi le see arios. 

ce ario : all y ^ x; t e b succee s ever i I (y) a t us R{Y) r (6) = • 

ce ario : t ere is some y it i t(y) < b < i I (y); t e R{Y) ^ (;,) = 

T(y). o summari e if 6 is as i t e claim t e R{Y) ^ ({,) is eit er or T(y) 
so t at i? (F) r {b)>T (y). 

e values of R{Y) j. (;,) a of R{Y) j. ) for ever n are i isputa le. 

oves b a, 6„ t us all compare it ever move of F ic c a ges R{Y). 

It is eas to see t at a bn b satis es (i) a (ii) i t e claim, ut t e as 

so a ove R (F) j. (& ) >T (y) ic co tra icts t e propert of bn i 2. 

us ever bn < b ic co tra icts ite istor . 

It remai s to prove t e claim. 

o prove t e claim ote t at for y ^ a; (y) is e e a complete 
t e assumptio t at IF(y) is complete a t e rogress roviso. It suffices to 
prove t at t ere is at most o e y > x. e seque ce of oor a s of F is t e 
ite: ite istor it as itel ma eleme ts < a; corollar 2 itel 

ma eleme ts co curre t to x. us F as a last move sa Cy. rogress 
roviso ey ca o 1 e a i t or a i I move, i ce all bn corollar 
compare to ey ite istor for sufficie tl large n e ave bn > ey- e 

ca t e for claime b take a bn > ey. 

It remai s to prove t at F as at most o e oor a > x. uppose x < y. 
e 2 ( it a;,y pla i g y,x respective! ) T (x) < T (y) (si ce IF(a;) 

is i complete). If IF(y) ere complete 3 t ere oul e a c G IF(y) sue 
t at i? (X) J. (c) > T' (y)- ut si ce a; < y < c e also ave c G W(x) a 

R{X) I- (c) = T{x) so T (x) > T (y) ic is impossi le. us W{y) is i com- 

plete a y is t e last oor a of F. 

e ave t us veri e t at - 4 ol of ar itrar ru s of ,8 .It folio s t at 

t e results of t e previous su sectio summari e i eorem ol of B as 

ell. 
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6 i i t it i ts: t 

6. r ra f 

til o t e u iverse of k o age ts as populate customers o 1 . o e 

also ave a ot er ki of age ts. e prese toe a of maki g t e u k o 

age ts of S k o 

ormall t e u iverse of age ts splits i to t o isjoi t u iverses: ustomer 

a ea er. ustomers a rea ers are relate several fu ctio s. If X a 
V are isti ct customers t e i eac state t ere is at most o e rea er-age t 
r(X, V) a t ere are o ot er rea ers. 

If r is t e rea er r{X,Y) t e or (r) = X a u ject(r) = Y. e 
rea ers ill e create o t e fl e ee e (at t rt a i t moves) a 
ill self- estruct e t eir task is complete . 

st r t rt 

if mode(me) = satisfied then 

A(me,me) := 1, R(me) := 1, mode (me) := doorway 

V Y 7 ^ me create-reader (me , Y, doorway) 

i t 

if mode(me) = doorway and (VY T^me) A(me,Y) ^ undef then 
A(me,me) := + ma yA(me,Y), R(me) := + ma yA(me,Y) 

mode (me) := wait 

V Y 7 Y me create-reader (me , Y, wait) 

tr 

if mode (me) = wait and 

V Y yf me (A(me,Y)=0 or (A(me , Y) , id(Y) ) > (A(me ,me) , id(me) ) ) then 
mode (me) := CS 



it 



if mode (me) = CS then 
mode (me) := done 



if mode (me) = done then 

R(me) := 0, mode(me) := satisfied 
(V Y 7 Y me) A(me,Y) := undef 

ere create-rea er(Af, Y, m) a reviates t e rule 
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create r 

agent (r) := true, Reader (r) := true 
program(r) := reader-program 
Lord(r) := X, Subject(r) := Y 
mode(r) ;= m 
endcreate 



ad r 

A (Lord (me) .Subject (me)) := R(Subject (me) ) 
if mode (me) = doorway then 
destroy-reader (me) 
if mode (me) = wait then 
if R(Subject(me)) = 0 

or (R(Subject(me)) ,id(Subject(me))) 

> (A (Lord (me) , Lord (me) ), id (Lord (me) ) ) then 
destroy-reader (me) 

ere estro -rea er(a) a reviates t e rule 
agent (a) ;= false, Reader (a) := false 

program (a) := undef , Lord (a) := undef , Subject (a) := undef 



6.2 a tics f 

ema tics of B is like t at of ,8 ut co si era 1 simpler si ce all locatio s 
are co trolle t e k o age ts a t ere are o moves mo itore t e 
k o age ts to put co strai ts o — it is all i t e programs for 8 . e rea er 

age ts are o e a to reali e t e requireme t t at t ose ‘for-all comma s i 
t e oor a a t e ait sectio of amport’s pseu oco e ma e e ecute i 
ma a s i various seque ces all at o ce co curre tl etc.’ I fact t e rea er 
age ts capture all a s to reali e t at requireme t see elo . 

e o 1 assumptio e ave to make outsi e of t e program is t e rogress 
roviso appl i g ere to all age ts ot customers a rea ers: 

r r ss r is . o rea er a o customer i mo e ot er t a atisfi 

stalls forever. 

e rea er-age ts are create o t e fl a estro e upo completio of 

t eir task: t e effect of estro -rea er(a) if a is a rea er-age t is retur i g a 

to t e reserve. 

6. ali s 

e CO strai ts 2 ca e rea as a rat er irect escriptio of at t e 

rea er-age ts o for t eir customers i B . e fact t at ever ru of B satis es 
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2 folio s from t e programs a t e rogress roviso (toget er it 
t e sema tics escri e a ove or i [4]). 

is satis e i ,8 si ce for ever move t of X e ecuti g t rt for ever Y ^ 
X t ere is a rea er r{X,Y) at ost( t rt(a;)). programs a t e rogress 
roviso eac of t ese rea ers makes a si gle self estructive move ic is t e 
b require ; programs a t e rogress roviso X eve tuall e ecutes 

i t. 

programs a rogress roviso forever Y X t ere is a rea err(X, F) 
at ost( tr (x)). at rea er makes a move i W{x). or 2 it t e 

suffices to ote 



act . t r{X, Y) in W (x) is th ast s ch iff it is s cc ssf 

i..T{x)<R{Y) p). 

is amel satis e i 8 si ce for eac Y X e ca take t e last 
aiti g sectio move of r{X,Y) for t e claime b. 

2 is satis e i 8 si ce if all r(X, F) for F X ave a last move i W{x) 

rogress roviso X must eve tuall e ecute tr . us for some Y X 

t e rea er r{X, Y) keeps rea i g forever — take t e seque ce of is moves for 
b < b < • • • as claime . 

e ave t us esta lis e t at ever ru p oi B c& e vie e as a ru 

oi B . i ce B as far as rea i g is co cer e ca e vie e as a eclarative 

escriptio of algorit mic e aviour rat er t e a algorit m proper p ca 
also e see as a reali atio of e aviour prescri e B . 

o e more precise let us i tro uce a appropriate impleme tatio relatio 
et ee moves a ru s of t e t o s. 

move t customer X i B i nts a move t t e same customer 

i B if t e i isputa le portio s of states (values of mo e{X) , R{X) , A{X , X)) 
at re(t ), ost(t ) coi ci e it t ose at re(t ), ost(t ) respective! . 

ru p of 8 z nts a ru p oi B if t e partial or er of customers’ 

moves i p is or er-isomorp ic to t e partial or er of customers’ moves i p 

impleme ti g it poi t ise: e ever t e isomorp ism maps a move t i p to 

a move t i p t e t impleme ts t . 

I t ese terms e ave esta lis e t at 8 (more speci call 2) 

provi es a sou escriptio of algorit mic e aviour: 8 is a algorit m e a- 

vi g like t at. or t e recor 



a . d ss f 8 ) ach r n f B i nts a r n f B . 

e ca actuall claim more. e requireme ts 2 alio ma if- 

fere t e aviours. Is t ere a e aviour alio e B ic is ot capture 

t e rea er-age ts of 8 ? ot reali . is is t e co te t of t e folio i g lemma 

e press! g a ki of complete ess propert . 

a . pi t ss f 8 ) ach r n p f B is i nt a r n 

P fB . 
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r /. e i ea is to tra sform p to p impleme ti g rea i g moves of p 
it appropriate moves of rea er-age ts possi 1 ig ori g some i co seque tial 
mo itore moves of p . e replaceme t process is o e i t e or er of p t at 
is earlier rea moves are replace (or iscar e ) earlier. e folio i g co itio s 
ill e guara tee i uctio for ever move b i tro uce replaceme t for 
ever customer X a ever oor a x oi X. t re(6) t ere is a rea er age t 

r = r{X,Y) for some Y ^ X. If & is a move of r i a; t e mo e(r) ^ (/,) = 

oor a (so t at r self- estructs at b) a if 6 is a move of r i W(x) t e 

mo e(r) ^ (b) = ait (so t at r self- estructs at its last move i W{x)). 

0 let X = (a, b) e a oor a of X. for eac F X t ere is a 

move b{Y) e x sue t at A{X,Y) ^ ( j = R{Y) ^ ({,). ecall t at e ca 

assume t at b{Y) are all isti ct. e impleme t eac b{Y) it a move of 
r = r{X,Y). i uctio co itio r is i mo e oor a efore b{Y) a 

t erefore self- estructs t ere. 

e case of rea moves i W{x) is similar, i ce W{x) is complete 
guara tees t at for eac Y ^ X t ere is a move b{Y) e W(x) sue t at 
R{Y) r (b) = A{X,Y) r ( r {x))- it out loss of gc eralit all moves b{Y) are 
isti ct. eplace ever b{Y) it a move of r = r(X, X). t ei uctio co - 
itio r is i mo e ait efore b{Y) a t erefore self- estructs at t e move. If 
b &W{x) Is a mo itore move iffere t from all b{Y) e ca iscar it — also if 
t ere is a b{Y) > b e ca impleme t & it a u successful o self estructive 
rea ofr(X, X). 

1 all remove all remai i g mo itore moves ip. e result is t e esire 

ru p of B impleme ti g p . □ 

7 c u i r s 

orrollar 2 implies t e folio i g c finit n ss propert for t e partial ru s of t e 
aker algorit m: for eac move t t e set {s|s t} is ite. is is a propert 
of t e aker Igorit m a ot of t e mo elli g frame ork: i spite of ite 
istor it is eas to co coct legitimate partiall or ere ru s of some algorit m 
ic violate t e co ite ess propert .Ite case of t e aker Igorit m t e 
CO ite ess propert implies t at a t o i itel active customers ave to 
s c ro i e i itel ma times. 

e CO ite ess propert is a e ample of a propert of partial ru s t at 
is o fuscate i li ear ru s (si ce for li ears ru s it amou ts to ite istor ). 
is i icates t at co curre t computatio s ma ave sig i ca t properties 
ic ca ot e iscovere stu i g o 1 t eir li eari atio s. o curre t 
computatio s s oul e a al e irectl . 

c Id ts. e t a k te jerek o ert sc ac a Igor r- 

i a o ave provi e ver useful remarks o a raft versio of t is paper. 
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e prese t a at e aticall precise, platfor -i depe de t 
odel of a a CO curre c usi g t e bstract tate ac i e et od. 
e CO er all aspects of a a t reads ads c ro i atio , graduall ad- 
di g details to t e odel i a series of steps. e oti ate a d e plai 
eac CO curre c feature, a d poi t out subtleties, i co siste cies a d 
a biguities i t e official, i for al a a specificatio . 

I r c i 

e a a progra i g la guage [7, 3] pro ides sop isticated support for co - 
curre c . e fu da e tal operatic s of co curre t progra s are i pie e ted 
as uilt-i features of t e la guage. a of t e otoriousl co plicated details 
of CO curre t progra i g are idde fro t e progra er, si plif i g t e de- 

sig of CO curre t applicatio s. urt er ore, a platfor - eutral e or odel 

is i eluded as part of t e la guage. e i corporatio of sue i tricate, su tie 
operatic s i to a a calls for a precise specificatio . s i terest i t e la guage’s 
CO curre c odel i creases, a a de elopers are e a i i g a d e ploiti g its 

details [ , 7, 6, 4]. e popularit of a a a d, ore i porta tl , its e p a- 

sis o cross-platfor co pati ilit ake t e eed for sue a specificatio e e 
stro ger. 

e prese t a odel of t e co curre t features of a a, usi g t e for al 
operatic al specificatio et od of bstra t tat a i s ( s) [9,22,23]. 

e use i e a a a g ag ifi ati a ual ( j [7] > as our refere ce for t e 
la guage. e is a i for al specificatio , a d due to t e a iguit ic 
per ades atural la guage, it ca e i terpreted i differe t as. ur odel 
gi es a u a iguous specificatio ic reflects our i terpretatio of t e 

roug out t e paper, e i dicate ere a iguities ado issio si t e 

gi e rise to ot er i terpretatio s. e for al specificatio process also u co ers 
a su tie ut i porta t issues ic t e does ot ri g to lig t. ur 
goal is a specificatio t at is ot o 1 precise ut accessi le to its readers, e e 
t ose ot fa iliar it a a, co curre t progra i g, or s. s part of t is 

s ere for erf o as I i g Ig r s. 

ur a . ( ds.): pp. — 76 

O pr g r- r ag r d rg 
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project, e i pie e t t e specificatio s usi g t e / r i terpreter 

[2 ]. is i pie e tatio ser esasaco e ie t tool for protot pi g a dtesti g. 

It is i porta t to disti guis u i te tio al a iguit fro i te tio al u - 

derspecificatio . e aut ors of t e e isio support for a a co curre c 
taki g a differe t for s: “ a i g a ard are processors, ti e- 
slici g a si gle ard are processor, or ti e-slici g a ard are proces- 
sors [7]”. e lea es so e details u specified i order to gi e i pie e ters 
of a a a certai a ou t of freedo : “t e i te t is to per it certai sta dard 
ard are a d soft are tec iques t at ca greatl i pro e t e speed a d effi- 

cie c of CO curre t code [7]”. s is usual it t e et odolog [ ,2], e 

desig our s to odel a a co curre c at its atural le el of a stractio , 
capturi g t e esse ce of t e it out co itti g to a i pie e tatio 

decisio s. 

ile ost of t e specificatio is i perati e i ature, so e of t e 

CO curre c odel is descri ed i a declarati e st le: rat er t a e plai o to 

e ecute a co curre t progra , t e gi es co ditio s t at a correct e ecutio 
ust eet. is s ift i prese tatio st le is ost likel due to t e otio t at 
o 1 a declarati e specificatio ca e trul i pie e tatio -i depe de t. 

ere are to a s for us to deal it t e declarati e portio s of t e 
e o ious a d si pie a is to refor ulate t e declarati el as co ditio s 

0 tee ecutio of our . e ot er a is to i pie e 1 1 e i t e 

itself, e c oose to do t e latter, e e er it is atural to do so, ut i a a 

t at does ot sacrifice ge eralit . ur odel o e s t e co ditio s esta lis ed 

1 t e , et it is full ge eral i t e se se t at for a co curre t progra 

e ecutio t at folio s t e rules of t e , t ere is a correspo di g ru of t e 
e fi d our i perati e approac elpful i creati g a clear e tal picture 

oft e CO curre c odel, a d i u co eri g idde assu ptio s, i co siste cies 
a d a iguities i t e 

ere are se eral for ali atio s of a a co curre cite literature, orger 

a d c ulte [3] also uses s, to gi e a se a tic a al sis of a a t at e poses 

a ierarc of atural su la guages. It co ers t e la guage features for co - 

curre c , ut its focus is o t e ig -le el la guage rat er t a t e lo er-le el 
CO curre c odel, so it does ot pro ide a full specificatio of a a co curre c . 

ere are se eral orks [ ,4, ] usi g t e tr t ra rati a ma ti s ( ) 

et odolog [ ] . ttali t a . [ ] do ot co ce trate o t e lo er-le el details of 

a a CO curre c , ile e ciarelli t o . [4] gi e t e i a declarati e st le, i 

keepi g it t e prese tatio i t e . s e tio ed earlier, e elie e t at 
t ere are ad a tages to our i perati e approac . oscia a d eggio [ ] e pli- 
citl deal it t e details oft e co curre c odel a d propose so e c a ges to 

its desig . o t ak er a d c uster [6] prese t a o -i perati e specificatio , 

it t e purpose of co pari g a a’s e or e a ior it ot er ell-k o 

otio s of CO siste c . ur focus is differe t, o e er: ile t eir ork assu es 

a particular i terpretatio of t e ad proceeds fro t ere, our goal is first 
to CO e to a clear u dersta di g of t e co curre c odel as prese ted i t e 
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, a d t e to discuss its co seque ces. s e s all see, t ere are se eral 
issues it i t e ic ake t is i itial u dersta di g difficult. 

e i troduce i §2 t e asic rules ic age ts {t r a s) i teract it 

regard to s ared ariah s, a d i §3 t e special co sideratio s for aria les 
arked as ati .1 §4 e i troduce ks, ic are used to li it co curre c 

it i a progra . I § e discuss r s i t store actio s. I §6 e descri e 

t r a b ts. I §7, e co er aiti g a, d tifi ati . 

ur tec ical report [ ] pro ides a co plete prese tatio of our speci- 

ficatio . I it, e also pro e t at our specificatio is as ge eral as possi le ile 

o e i g all t e correct ess criteria of t e 

c t. is ork as partiall supported gra t -9 - 

437 . 



r ri 1 

I a si g -t r a co putatio , a si gle age t e ecutes t e i structio s of a 
progra , o e at a ti e. I co trast, a ru of a a a progra a e m ti- 
t r a , (i tuiti el ) i ol i g ultiple age ts t at e ecute i structio s co - 
curre tl . ac age t e ecutes seque tiall , t e seque ce of its actio s for i g a 
t r a of e ecutio . I t e parla ce of distri uted co puti g, t e ter “t read” 
is used to refer ot o 1 to a age t’s co putatio ut also to t e age t itself. 

reads a e ecute o a si gle processor or ultiple processors. e ato ic 
actio s of differe t t reads a e i terlea ed; t e a e e e co curre t i 
t e case of ultiple processors. 

i ce differe t t reads a access a d update co o data, t e order of 
t eir actio s affects t e results of a e ecutio . e esta lis es so e co di- 

tio s o t e i teractio of t reads it respect to s ared data, ut i te tio all 
lea es so e freedo to i pie e ters of t e la guage. o seque tl , t e results 
of e ecuti g a ultit readed progra a ar et ee differe t a a plat- 
for s, a d e e et ee differe t e ecutio so t e sa e platfor . 

data alue is eit er a i sta ce of a pri iti e t pe, sue as int or boolean, 

or a b t, a d a icall created alue. alue resides at a locatio eit er 

i t e rki g m m r of a t read or i t e mai m m r . ertai e or 

locatio s ser e as a ifestatio s of a ariab . e mast r of a aria le is 

t e u ique locatio i t e ai e or t at a ifests t e aria le. t read’s 
rki g of a aria le is t e u ique locatio i t e t read’s orki g e or 

t at a ifests t e aria le. t read accesses or updates o 1 its orki g copies. 

e speaks of t e ai e or as a age t ic co u icates it 
t reads a d updates aria le aster alues. ile t is ie is adequate for 
descri i g a s ste it a ce trali ed ai e or , it does ot capture t e 

possi ilit of a distri uted ai e or [ 6], ere updates of differe t aria le 

aster copies a occur co curre tl . e fi d it co e ie t to i agi e t at eac 
aria le as a mast r age t, ic accesses a d updates t e aria le’s aster 
cop . i ce t ere is a o e-to-o e correspo de ce et ee aria les a d t eir 
asters, e a ide tif a aria le aster it t e aria le it co trols. 
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e create a to odel t reads’ actio s o aria les. e age ts of 

are t reads ( e ers of rea ) a d aria le asters ( e ers of ar). t 

t e egi i g of eac ru , t ere is a si gle e er of t e u i erse rea . 

i ce e ide tif aria le asters it t e aria les t e co trol, a e er of 

t e u i erse ar is ot a aria le a d a aria le aster. e u i erse a e 
represe ts t e set of alues t at aster or orki g copies of aria les a ear. 

e fu ctio aster a e aps eac aria le to t e curre t alue of its aster 

cop . e fu ctio rki a e, gi e at read a d aria le, retur s t e curre t 
alue of t e t read’s orki g cop of t at aria le. 

t read’s ti gi is t e co po e t of t e t read t at e ecutes t e 
a a progra . It a perfor actio s o aria les: r ati g a, aria le, assig i g 
a e alue to a aria le, or si g a pre iousl assig ed alue of a aria le. 

ere a e ore t a o e alue associated it a aria le, ut a t read as 

i ediate access o 1 to t e alue of its orki g cop . use or assig actio is 

i ter al to a t read, i ol i g o 1 its orki g cop . i ce e are ot i terested 

ere i at a t read co putes duri g its e ecutio , our ie of use a d assig 
actio s is si pie: a assig actio just c a ges t e alue of a aria le’s orki g 
cop , a d a use actio does ot i g. ( It oug at appe s i a use actio is 

ot i porta t to us, e s all see i §3 t at t e rr of a use actio a 
e sig ifica t, e e at our le el of a stractio .) t read’s e ecutio e gi e a 
do o e ot er sort of actio of i terest to us: creati g a ot er t read, ic a 

e ecute co curre tl it its creator. 

reads pass alues of s ared aria les a o g t e sel es ia t e ai e- 
or . t read a update t e aster cop of a aria le it a fres 1 assig- 
ed alue, or it a request t e curre t alue of t e aster cop . is is do e 
t roug as c ro ous co u icatio it a aria le’s aster age t. o tra s- 
fer t e alue of its aster cop to a t read’s orki g e or , (t e aster of) 

a aria le issues a r a actio . is is folio ed a a actio t e t read, 
ic i stalls t e alue i to its orki g e or . o tra sfer its orki g alue 

of a aria le to t e ai e or , a t read issues a st r actio . is is folio ed 

a rit actio (t e aster of) t e aria le, ic i stalls t e alue i to 

t e ai e or . 

o e o i for atio is passed fro aria le to t read i a read-load se- 

que ce, a d fro t read to aria le i a store- rite seque ce. o gi e a ore 

i perati e c aracter to our descriptio , it out a esse tial loss of ge eralit , 
e i troduce a e plicit ut quite a stract otio of m ssag s passi g et ee 

t reads a d aria les. e a aria le issues a read actio , it se ds a a ss 

m ssag to a t read, a d t e target t read t e recei es t e essage issui g 
a load actio . eat read perfor s a store actio , it se ds a at m s- 
sag to a aria le, a d t e aria le t e recei es t e essage issui g a rite 
actio . o for e a pie, e a speak of a t read stori g out to a aria le 
se di g it a access essage, or a aria le riti g i fro at read i stall! g 
t e alue of a update essage. 

e defi e a u i erse s co prisi g t e u i erse s ( essages fro 
aria les to t reads) a d t e u i erse p s ( essages fro t reads to aria- 
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les). e fu ctio ar aps eac access essage to t e aria le t at se t it, 
a d aps eac update essage to t e aria le t at is its i te ded recipie t. e 
fu ctio t rea aps eac update essage to t e t read t at se t it, a d aps 
eac access essage to t e t read t at is its i te ded recipie t. e fu ctio 
a e retur s t e alue co tai ed i a gi e essage. 

I a state, t e e ers of t e u i erse s t at a e ee se t fro 
a aria le u to a t read t for a “su u i erse” of s , ic e call 
s (v,t). ike ise, t e e ers of t e u i erse p s t at a e ee 

se t fro t to u for a su u i erse of p s , ic e call p s {t,v). 

ile t e does ot dictate a specific polic o t e access of s ared a- 
ria les, it does i pose so e rules o t e co curre t e a ior of t reads a d 

aria les. e prese t t ese rules as t e appear i t e a d gi e our i ter- 

pretatio s of t e . 

r s 

. [p. 4 3]“ e actio s perfor ed a o e t read are totall ordered; t at 

is, for a to actio s perfor ed at read, o e actio precedes t e ot er.” 

2. [p. 4 3] “ e actio s perfor ed t e ai e or for a o e aria le are 
totall ordered; t at is, for a to actio s perfor ed t e ai e or 

0 t e sa e aria le, o e actio precedes t e ot er.” 

3. [p. 4 3] “It is ot per itted for a actio to folio itself.” 

1 ot er ords, actio s o aria les for a partial order ( ic e de ote 
<) i ic t e actio s of a si gle t read are li earl ordered, a d t e actio s 
of a si gle aria le aster are li earl ordered, ote t at t is supports our 

ie of i depe de t aria le aster age ts as opposed to a o olit ic ai 
e or . e read a d rite actio so a si gle aria le are ordered li earl , 

ut read a d rite actio s o differe t aria les a occur co curre tl . is 

folio s aturall if e t i k of t e aster cop of eac aria le as co trolled 
a i depe de t age t. 

r s 

. [p. 4 3] “ ac load actio a t read is u iquel paired it a read actio 

t e ai e or sue t at t e load actio folio s t e read actio .” 

2. [p. 4 3] “ ac store actio a t read is u iquel paired it a rite actio 

t e ai e or sue t at t e rite actio folio s t e store actio .” 

3. [p. 4 ] “ or e er load actio perfor ed a t read t o its orki g 

cop of a aria le v, t ere ust e a correspo di g precedi g read actio 

t e ai e or o t e aster cop of u, a d t e load actio ust put i to 

t e orki g cop t e data tra s itted t e correspo di g read actio .” 

4. [p. 4 ] “ or e er store actio perfor ed a t read t o its orki g 

cop of a aria le v, t ere ust e a correspo di g folio i g rite actio 

t e ai e or o t e aster cop of v, a d t e rite actio ust 

put i to t e aster cop t e data tra s itted t e correspo di g store 

actio .” 
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. [p. 4 ] “ et actio A e a load or store t read t o aria le u, a d let 
actio P e t e correspo di g read or rite t e ai e or o aria le 
V. i ilarl , let actio B e so e ot er load or store t read to t at 

sa e aria le u , a d let actio Q e t e correspo di g read or rite t e 

ai e or o aria le v. If A precedes B, t e P ust precede Q.” 

ese rules restrict t e a s i ic a t read’s load a d store actio s a 
e i terlea ed it a aria le’s read a d rite actio s. irst, e ote t at t e 
ter “u iquel paired” i ules 2. a d 2.2 is a iguous. state e t of t e 

for “ ac ele e t x of X is u iquel paired it a ele e t y of Y sue t at 

4>{x, y)” as a le ie t i terpretatio : “ or all x i X t ere is a u ique y i Y 

sue t at 4>{x,yy\ It also as a strict i terpretatio : “ or all x i X t ere is 
a u ique y i Y sue t at 4>{x,y), a d for all y i Y t ere is a u ique x i X 
sue t at (j){x,yy\ e le ie t i terpretatio alio s s ri s y’s] t at is, y’s 
t at are ot paired it ax. ic i terpretatio s all e use? e strict 
i terpretatio is at t e aut ors of t e i te ded [2 ], so e adopt it ere. 
Ho e er, e fi d t at a le ie t i terpretatio of t e ter i ule 2. as so e 
ad a tages t at ake it ort discussi g. 

/ r r. or e er load actio L at read to a aria le v, t ere 

is a read actio R < L v sue t at L loads i t e alue read out at R 
( ules 2. a d 2.3). is supports our co ceptio of access essages: e er load 
actio ust load i t e alue of a access essage issued a pre ious read 
actio . urt er ore, a t read a ot load i t e sa e access essage t ice 
( ule 2. ). 

e c oice of i terpretatio of “u iquel paired” deter i es et er e er 
access essage ust e loaded i . e strict i terpretatio , u der ic e er 

access essage is loaded i , is si pier a d ore appeal! g fro a logical perspec- 
ti e, ic is it is t e i te ded i terpretatio [2 ]. ut ote t at spurious 
read actio s are i ocuous: fail! g to load i a gi e access essage as o 1 
t e effect of aki gat read’s orki g e or less up-to-date t a possi le. 

urt er ore, t e le ie t i terpretatio alio s a ig er degree of i depe de ce 
of t reads a d aria les: a aria le is free to issue access essages it out co - 
cer for et er t e are e e tuall loaded i . or i sta ce, updated aster 

alues of a i porta t aria le could e roadcast to t reads, it eac t read 
decidi g et er to load t e alue i ; or locks ( ag s) oi aster alues could 

e se t to a t read, it t e t read select! g ic alues to load i . 

t r / r t r r. or e er store actio S at read to a aria le v, 
t ere is a rite actio W > S v sue t a,t W rites i t e alue stored out 

at S' ( ules 2.2 a d 2.4). si g our essage-passi g parla ce, e er store actio 
se ds a update essage ic ust e ritte i a folio i g rite actio . 

s it t e case of read a d load actio s, o e i terpret “u iquel paired” 

deter i es et er e er rite actio is a actio of riti g i a update es- 

sage. Here, adopt! g t e strict i terpretatio see s less co tro ersial. It is ot 
clear at alue a spurious rite actio rites, t est, it si pi re rites t e 
alue t at is alread i ai e or , i ic case it is useless, ut if it rites 
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a difFere t alue, it a o literate a curre t alue i ai e or , replaci g it 

it a outdated or i alid alue. 

/rt rr s /str rr. act read perfor s load a d 

store actio so a aria le i a certai order, a d t e aria le ust perfor t e 
correspo di g read a d rite actio si t e sa e order, et us e a i e t is 
ore closel . 

a / a . If a t read t perfor s a load actio L ( it correspo di g read 

actio i? ) o a aria le v, a da ot er load actio L ( it correspo di g read 

actio R ) o V, ule 2. postulates t at (L < L ) (i? < i? ). If v se ds 

access essages madmtot, te t a load i m efore m o 1 if m as 

se t efore m . I ot er ords, t loads i e er e er access essages fro v. 

it out loss of ge eralit , e a t i k of t as discard! g m e it loads it 

i . 

e CO ju ctio of ule 2.3 a d ule 2. i plies ule 2. . ule 2. asserts 

t at eac load actio as a precedi g u ique read actio . ule 2.3 asserts t at 
e er load actio as a precedi g read actio a d ule 2. asserts t at differe t 

load actio s ust a e differe t correspo di g read actio s, e suri g u ique ess. 

t r /st r . If a t read t perfor s a store actio So u ( it correspo di g 
rite actio II^ ) a d a ot er store actio So u ( it correspo di g rite 

actio W ), ule 2. postulates t at (S' < S ) => {W < Vk ). If t se ds a 

update essage m to v efore se di g a ot er update essage m to v, t e m 
ust e ritte efore m . I ot er ords, v rites i e er e er alues stored 

out t. us riti g m is alio ed o 1 if m as ee deli ered t roug a rite 

actio . e ca t i k of u as discard! gm e it rites it. 

t r / a . If a t read t perfor s a store actio S ( it correspo di g rite 

actio W) o V, a d t perfor s a load actio L ( it correspo di g read actio 

i?) o V, ule 2. postulates t at (S < L) {W < R). 1 ot er ords, if t 

se ds a update essage mto v efore load! g a access essage m i fro v, 
t e V ust rite m i efore se di g to . If t stores its orki g alue out to v 

a d t e i ediatel loads i fro u, a d ot er t reads do ot store out to v 

i t e ea ti e, t e t e alue it recei es fro t e load is t e alue it stored. 

us se di g TO is alio ed o 1 aft r t e poi t i ti e e to is ritte i . 

If TO is se t ut ot loaded i & / r t is poi t i ti e, it ca e er e loaded 

i , a d t us ule 2. is iolated (u der t e strict i terpretatio ). o a oid t is, 

V ust ot issue a access essage to t as lo g as t ere is a pe di g update 
essage fro t to v, a d t ust ot issue a update essage to u as lo g as 

t ere is a pe di g access essage fro v to t. urt er ore, v a d t ust e 

pre e ted fro se di g essages to eac ot er co curre tl . 

der t e assu ptio t at essages take o ti e to tra el, e a require 

t at u c ecks for i co i g update essages fro t efore se di g a access 

essage to t, a d t c ecks for i co i g access essages fro v efore se di g 
a update essage to v. ut t is does ot eli i ate t e possi ilit of co curre t 
actio s V a dt. us so e ea s of a oidi g co curre t actio s u a d t is 
ecessar . ote t at t is co plicatio disappears if e ere to adopt t e le ie t 
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i terpretatio of “u iquel paired” for t e pairi g of read a d load actio s. I 
our e a pie, t could si pi ig ore t e access essage mad still a e its 
update essage m ritte . 

o represe t t e relati e age of essages, e i troduce t e relatio <, a d 
t e ter est? to deter i e et er a gi e essage as o predecessors. 

t r est?(m): ( t 3m s ) m < m 

e does ot i pose a particular ea s of order! g essages, so e 

a oid doi g so ere aki g t e fu ctio e ter al. e restrict atte tio to 

ru s i ic t e fu ctio < e a es i tee pected a . 

r s3 etteat read a d u e a aria le. 

. [p. 4 4] “ use or assig actio t of u is per itted o 1 e dictated 
e ecutio t of t e a a progra accord! g to t e sta dard a a e ecutio 
odel.” 

2. [p. 4 4] “ store actio to v ust i ter e e et ee a assig t of 

V & d a su seque t load t of u.” 

3. [p. 4 4] “ assig actio to v ust i ter e e et ee a load or store 

t of V a, d a su seque t store t of u.” 

4. [p. 4 4] “ fter a t read is created, it ust perfor a assig or load actio 

o a aria le efore perfor i g a use or store actio o t at aria le.” 

. [p. 4 ] “ fter a aria le is created, e er t read ust perfor a assig or 

load actio o t at aria le efore perfor i g a use or store actio o t at 

aria le.” 

ese rules i pose co strai ts o t e e c a ge et ee at read’s e ecutio 
e gi e a d orki g e or . 

s ss ct s. reads a o 1 issue use a d assig actio s e 

ceded for progress tee ecutio e gi e ( ule 3. ). t t e le el of a strac- 

tio e a e c ose , e are ot co cer ed it at t reads actuall co pute, 

so t is rule does ot affect our odel. e ert eless, e s ould ote t at t e 

ter “dictated” is so e at a iguous ere. or e a pie, let var e a e - 

pressio t at requires a use actio o a aria le v. I e aluati g t e e pressio 
(var + var), o a use actio so v are dictated t e progra ? e 
strictest i terpretatio ould require a use actio for eac refere ce to a aria- 
le (our e a pie ould require t o use actio s), a d t is is at t e aut ors of 
t e i te ded [2 ]. 

t r ct s. If a t read t perfor s a load or store actio LS o u a d t e 

perfor s a store actio So v, ule 3.3 postulates t at t perfor s a assig 

actio A o V sue t at LS < A < S'. I ot er ords, spurious store actio s 
are for idde : t a o 1 store out to u if it as a e alue to tra s it. is 

pre e ts t e curre t co te ts of t e ai e or fro ei g o er ritte 

older {i. ., pre iousl stored) alues. it out t is rule, a t read could store out 

outdated alues it loaded i lo g ago, o er riti g ore curre t alues t at ot er 
t reads stored out i t e i teri . 
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If a t read t perfor s a assig actio Ao a aria le z; a d t e perfor s 

a load actio L o u, t ere is a store actio S t o v sue t at A < S < L 
( ule 3.2). I ot er ords, a t read ust store out a alue of a aria le v after 
issui g a seque ce of assig s to v, tra s itti g at least t e last assig ed alue 

to t e ai e or , efore atte pti g a load; t e assig s are ot co pletel 

forgotte . t read a load a access essage i fro a gi e aria le o 1 if 

t e last orki g alue it assig ed as ee stored out. ote t at a t read a 

assig to a aria le a d t e use t e aria le it o i ter e i g load. I t is 

case, o i ter e i g store is required, a d t e assig ed alue a si pi re ai 
i t e orki g e or . 

is akes t e coordi atio et ee t reads a d aria les ore co pie . 
ce t perfor s a assig o v, its e t actio o v ca ot e a load, o if t 
assig s a alue to v co curre tl it f se di g a access essage to t, t a 

ot su seque tl load t e essage i u til it stores its orki g alue out to v. 

ut it ca ot perfor t is store actio , as t e rite actio correspo di g to 
t e store ould folio u’s read actio ; t us ules 2. a d 2.3 are iolated. o 

a oid t is, V ust ot issue a access essage to t if t ere is a assig actio 

to V t at as ot ee folio ed a store actio o v, a d t ust ot 

assig to u if t ere is a pe di g access essage. ote actio s ic t reads 

a d aria les ust a oid doi g co curre tl are ot reads a d stores, as ule 2. 
ig t suggest, ut reads a d assig s. 

s /st r ct s pr c b ss / ct . If a t read t per- 

for s a use or store actio US o a aria le v, ules 3.4 a d 3. postulate t at 
t ere is a assig or load actio AL < US to v. or use a d store actio s 
to e a e properl , t ere ust e a alid alue i orki g e or . I itiall , all 

t e CO te ts of a t read’s orki g e or are i alid, ut as a result of t ese 

rules, o i alid alue of t e orki g e or is e er used or stored out. 

e defi e t e folio i g fu ctio s to elp e force t e co ditio s descri ed 

a o e. ule 3.3 alio sat read t to store out its orki g alue of a aria le 

w o 1 if it as assig ed a fres alue to v ut as ot stored it out; ule 3.2 

alio s t to load a access essage i fro u o 1 if it as o fres 1 assig ed 
orki g alue of v to store out. e fu ctio res ssi ? deter i es et er 

a gi e t read as assig ed a fres alue to a gi e aria le it out stori g it 

out. ules 3.4- alio t to use its orki g alue of w o 1 if t ere is a alid 

alue of V i its orki g e or , i stalled t ere a load or assig actio . e 

fu ctio sa e a e? deter i es et er a gi e t read as a alid alue for a 

gi e aria le i its orki g e or . 

e actio s of a aria le aster co sist of issui g a read essage to a t read, 
a d riti g i a update essage. 

ar: c s 

c s t: rea : rea ?(t) 

a t t t 
c s t: rea 

c s to: p s (t e ): rite 7{m,t) 

rit mi frmt 
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r a t t t: t s { e t) t m 

a e(m) := aster a e( e ) 

r rit m i fr m t: aster a e( e ) := a e(m) 

p s (m) := a se 

e ter s rea ? a d rite ? deter i e et er t e gi e actio is 
alio ed t e rules, ules 2. a d 3.2 alio a aria le v to read out to a 
t read t o 1 if e er assig actio t o v as ee folio ed correspo di g 
store a d rite actio s. ule 2. alio s t to rite a essage i fro w o 1 if 

t e essage is t e oldest pe di g essage fro t to v. 

t r rea ?(t): t ( res ssi ?(t e ) i" (3m p s {t e ))) 

t r rite est?(m) 

e actio s of a t read co sist of stori g a alue out t roug a update 

essage, loadi g i a access essage, or taki g a step i e ecuti g t e a a 

progra . rogra e ecutio a i ol e usi g t e orki g alue of a aria le, 
assig i g a alue to t e orki g cop of a aria le, creati g a aria le, or creati g 
a t read. 

rea : c s 

t r gram - tra sf r 

r t r gram: c s 

tra sf r r at ar r at t r a 

V - tra sf r: c s 

c s v: ar: se l{v) 

s V 

c s v: ar: assi ?(u) 

ssig t V 

r - tra sf r: c s 

c s w: ar 

c s m: s (u e ): a 7{m,v) 

a mi fr m V 
c s v: ar: st re 7{v) 

t r t t V 

e defi e rules for load, store, use a d assig actio s, as ell as t e actio s 
of creati g a aria le a d creati gat read. 

r a m i fr m v: rki a e( e v) := a e(m) 

sa e a e?( e v) := tr e 
s (m) := a se 

r t r t t v: res ssi ?( e v) := a se 

t ps(eu)tm 

a e(m) := rki a e( e v) 
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r s w: s p 

r ssig t v: res ssi ?( e v) := tr e 

sa e a e?( e v) := tr e 
c s val: a e 

rki a e( e v) := val 

r r at ar: cr t ar t w 

r r at t r a : cr t rea t t 

e ter s a ?, st re ?, se ? a d assi ? deter i e et er t e 

gi e actio is alio ed t e rules, ule 2. alio sat read t to load a 

essage i fro a aria le u o 1 if t e essage is t e oldest pe di g essage 

fro V to t. ules 3.3- alio t to store out to u o 1 if t ere as ee a assig 

actio t o V it out a folio i g store actio . ules 3.4- alio t to use v 

o 1 if t ere as ee a assig or load actio t at put a alue i t’s orki g 

cop of V. ules 2. a d 3.2 alio t to assig to v o 1 if e er access essage 

fro V to t as ee loaded i . 

t r a l{m,v): est?(m) a t res ssi ?( e v) 

t r St re 1{v)'. res ssi ?( e v) 

t r se 1{v): sa e a e?( e v) 

t r assi 1{v)- ( t 3m s {v e )) 

1 il ri 1 

e asic odel for t reads ads ared aria les, as prese ted i §2, per its 
opti i atio s t at reduce t e a ou t of co u icatio et ee age ts a d 

t us e a ce t e perfor a ce of ultit readed progra s. 

o u icatio et ee t reads a d t e ai e or ca e lesse ed 

t roug a i g: keepi g alues i orki g e or it out tra s itti g t e 

to ai e or or getti g e alues fro ai e or . I stead of co sulti g 

t e ai e or e er ti e it uses a aria le, a t read a ser ice se eral use 
actio so t e sa e aria le it a si gle load actio . It a also ser ice se eral 

assig actio s it a si gle store actio , se di g o 1 t e last of t ese assig ed 

alues to ai e or . 

ac i g a a e u desira le results, particular! for aria les t at are as- 
sig ed to a d used freque tl differe t t reads, ac ed alues a eco e 
outdated as ot er t reads store out to t e ai e or . Iso, cac i g assig ed 

alues pre e ts ot er t reads fro ie i g t e el assig ed alues as t e 

arise. 

o u icatio et ee aria les ca e a oided altoget er, alio i g t e 

to operate i depe de tl of o e a ot er. ile ule 2. dictates t at t e order 

of a t read’s actio so & si g aria le is also folio ed t e aria le, t e order 
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of its actio s o er i r t aria les eed ot e folio ed i t e ai e or . 
o seque tl , aria les eed ot coordi ate t eir actio s a o g t e sel es. 

He ce for certai aria les, a stricter discipli e is ecessar . a a alio s t e 
progra er to declare aria les ati at t e ti e of t eir creatio . olatile 

aria les folio a polic t at disallo s t e opti i atio s descri ed a o e. 

e odif t e to odel operatio s o olatile aria les. e add a u i- 

erse ar, represe ti g t e set of olatile aria les. er e er of ar 

is also a e er of ar. e rule r at ar requires a slig t c a ge: a e 
aria le a e arked as olatile. 

e i poses t e folio i g additio al co ditio s o olatile aria les. 

r s [p. 4 7] “ et t eat read a d let u a d w e olatile aria les.” 

. “ use actio to u is per itted o 1 if t e pre ious actio to v 
as load, a d a load actio to u is per itted o 1 if t e e t actio 
to V is use. e use actio is said to e “associated” it t e read actio 
t at correspo ds to t e load.” 

2. “ store actio to u is per itted o 1 if t e pre ious actio t o 

V as assig , a d a assig actio to u is per itted o 1 if t e e t 
actio to V is store. e assig actio is said to e “associated” it 

t e rite actio t at correspo ds to t e store.” 

3. “ et actio A e a use or assig t read t o aria le v, let actio F e 

t e load or store associated it H, a d let actio P e t e read or rite of 

u t at correspo ds to F. i ilarl , let actio B e a use or assig t read 

t o aria le w, let actio G e t e load or store associated it H, a d let 

actio Q e t e read or rite of w t at correspo ds to G. If H precedes B, 
t e P ust precede Q.” 

c s s . If a t read t perfor s a load actio L o v, ule 4. 

postulates t at t ere is a use actio U > L to u, adt ere is o actio 

Act to V sue t at L < Act < U. I ot er ords, eac alue loaded i fro 
t e ai e or is used e actl o ce. I co trast, ultiple use actio so a 
o - olatile aria le a use a alue loaded i a si gle load actio . 

ule 4.2 postulates t at a t read t perfor s a store actio So a olatile 
aria le u if a d o 1 if t ere is a assig actio A < S to uadt ere is 

o actio Act to v sue t at H < Act < S. I ot er ords, e er assig ed 

alue ust e stored out a d ritte to t e ai e or e actl o ce. or 
o - olatile aria les, assig actio s a o er rite o e a ot er it out a i g 
t eir alues stored out. 

/rt rr ss/ss rr. act read perfor s use a d 

assig actio s o olatile aria les i a certai order; ule 4.3 e sures t at t e 

aria les ust perfor t e correspo di g read a d rite actio si t e sa e 
order. is co ditio is si ilar to ule 2. , ut differe t i so e i porta t 
a s. irst, t e t read actio s e tio ed i ule 4.3 are use a d assig actio s, 
as opposed to store a d load actio s as i ule 2. . Iso, t e order! g olds o er 
actio s o all olatile aria les, ot just t ose o a si gle aria le. 
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o accou t for t e e a ior of olatile aria les, e odif our ie of 

essage passi g et ee t reads a d aria les. e t i k of a olatile aria le 

access essage as e di g i a use actio , as opposed to a load actio . i ilarl , 
e t i k of a olatile aria le update essage as origi ati g it a assig 

actio , as opposed to a store actio . ules 2.4 a d 4.2, all olatile update 

essages ust e stored out a d ritte , a d ules 2.3 a d 4. , all olatile 
access essages ust e loaded i a d used, e e a i e t is ore closel . 

s / s . If a t read t perfor s a use actio U ( it correspo di g read actio 
R ) o a olatile aria le u, a da ot er use actio U ( it correspo di g read 
actio i? ) o a olatile aria le w, ule 4.3 postulates t at (C/ < U ) ^ {R < 
R ). ote tati?adi? a e actio s differe t aria les. i e a access 
essage m fro w a d a access essage m fro w, t a use m efore m 

0 1 if m as se t efore m . I ot er ords, t uses e er e er olatile access 
essages. 

e CO ju ctio of ule 4.3 it ules 4. a d 3. i plies t at olatile a- 

ria les ust ork closel it t reads’ e ecutio e gi es. ce a t read loads 

1 a read essage fro a olatile aria le, ule 4. it ust use t at aria le, 

a d ule 4.3 it ust do so efore perfor i g a ot er assig or use ac- 
tio . ule 3. for ids use actio s ot “dictated” tee ecutio e gi e, so t e 

essage ust e se t it k o ledge of at is eeded t e a a progra . 
o sider a see ario ere a t read as just loaded a access essage fro a 
olatile aria le u, ut t e e t operatio tee ecutio e gi e is a assig 
actio o u, or a actio o a ot er olatile aria le. e o 1 a for t to pro- 
gress is to issue a gratuitous use actio o v, ut t is is for idde ule 3. . 

erefore, olatile aria les ust e careful e issui g access essages to 
a t read, doi g so o 1 e it is clear t at t e t read’s e ecutio eeds o e 
i ediatel . 

ule 4.3 also i plies t at olatile aria les ust ot read out to t e sa e 

t read co curre tl . s t e actio s of a si gle t read are li earl ordered, 
ule 4.3 t e correspo di g read actio s ust e li earl ordered as ell. is 

a require so e coordi atio et ee olatile aria les; if se eral olatile a- 
ria les is to read out to a si gle t read, o 1 a si gle aria le at a ti e a 
do so. 

ssig / ssig . If a t read t perfor s a assig actio A ( it correspo di g 
rite actio W ) o a olatile aria le u, a da ot er assig actio A ( it 

correspo di g rite actio W ) o a olatile aria le w, ule 4.3 postulates t at 

{A < A ) {W <W). ote tatll^adkk a e actio s differe t 
aria les. I ot er ords, gi e a update essage m fro t to u a d a update 
essage m fro t to w, v a rite m efore m o 1 if m as se t efore m . 
o olatile update essages se t t are ritte i t e order i ic t e are 
se t. 

ssig / s . If a t read t perfor s a use actio U { it correspo di g read 
actio R) o a olatile aria le v, a da assig actio A ( it correspo di g 
rite actio W) o a olatile aria le w, ule 4.3 postulates t at (A < U) ^ 
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{W < R). I ot er ords, if f se ds a olatile update essage m efore usi g a 

olatile access essage m , t e m ust e ritte i efore m is se t. 

us se di g TO is alio ed o 1 aft r t e poi t i ti e e to a d all ot er 
olatile update essages fro t a, e ee ritte . If to is se t ut ot used 
b f r t is poi t i ti e, it ca e er e used, e ce iolati g ule 4. . o a oid 

t is, V ust ot issue a access essage to t as lo g as t ere is a pe di g olatile 

update essage fro t, a d t ust ot issue a olatile update essage as lo g 

as t ere is a pe di g olatile access essage to t. urt er ore, olatile access 

a d update essages ust ot e se t to a d fro t co curre tl . 

e defi e so e additio al fu ctio s to elp e force t ese co ditio s. ule 4. 

requires a t read t to use a olatile aria le u if a d o 1 if it as loaded i a 

essage fro v it out usi g its alue. If a t read as loaded i a essage fro 
a olatile aria le ut ot used its alue, t e fu ctio s se retur s t is 
essage. If a t read as assig ed a alue to a olatile aria le ut ot stored 
t e alue out, t e fu ctio s t re retur s t e olatile update essage. 

e ter s rea ? a d rite ? i elude e tra co ditio s o olatile a- 

ria les. ule 4.3 alio s a olatile aria le v to read out to a t read t o 1 if 

all assig actio s to olatile aria les a e ee folio ed correspo - 

di g store a d rite actio s. o rea ? e add t e co ju ct ar( e ) 

(Vu ar) ( t 3to p s (t, u)). ule 4.3 alio s u to rite a update es- 

sage fro t i o 1 if t e essage as ee stored out a d is t e oldest pe - 
di g olatile essage fro t. o rite ? e add t e co ju ct ar( e ) 

TO 7^ s t re(t e ). 

e odif t e rules for load a d store actio s. olatile access essage is 
re o ed e it is used, rat er t a e it is loaded i . olatile update 
essage is created t roug a assig actio , rat er t a t roug a store actio . 

r a m i fr m v: rki a e( e v) := a e{m) 

sa e a e?( e v) := tr e 

ar(u) t s se( e v) := m 

s s (to) := a se 

r t r t t v: res ssi ?( e v) := a se 

ar(v) t s t re( e u) := e 

s t ps(eu)tTO 

a e{m) := rki a e( e v) 

e ter a ? i eludes a e tra co ditio o olatile aria les. ule 4. 
alio sat read t to load a essage i fro a olatile aria le u o 1 if it as used 
all pre ious loaded access essages fro v. ule 4.2 alio s t to load a essage 
i fro u o 1 if it as stored out all pre iousl assig ed alues to u. o a ? 
e add t e co ju ct ar(u) t sa e a e?( e v). 

e odif t e rules for use a d assig actio s. use actio o a olatile 

aria le re o es t e olatile access essage fro t e s u i erse. assig 
actio o a olatile aria le ge erates a p s . 
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r s v: ar{v) t 

sa e a e?( e u) := a se 
s se( e v) := e 

s ( s se( e ?;)) := a se 

r ssig t v: res ssi ?( e v) := tr e 

t ar(v) t sa e a e?( e v) := tr e 

c s val: a e 

rki a e( e v) := val 
ar(v) t 

t ps(ez;)tm 

a (m) := val 
s t re( e v) := m 

e ter s se ? a d assi ? i elude e tra co ditio s o olatile aria- 
les. ule 4. alio sat read t to use its orki g alue of a aria le w o 1 
if it as loaded i a essage fro v it out usi g its alue. ule 4.3 requires 
t is essage to e t e oldest pe di g olatile access essage to t. o se ? 

e add t e co ju ct ar{v) est?( s se( e v)). ule 4.2 alio s t 
to assig a alue to u o 1 if all of f’s pre ious assig s to f a e ee stored 
out, a d ule 4.3 requires t at t ere e o pe di g olatile access essages 
to t. o assi ? e add t e co ju ct ar(w) t ( res ssi ?( e v) 
r sa e a e?( e w) r (3m s {v e ))). 

If t o olatile aria le aria les read out to t co curre tl , t e correspo di g 
load actio s ill e ordered, si ce t ca o 1 perfor o e load actio at a ti e. 

ut t e read actio s ill ot e ordered, t ere iolati g ule 4.3. e restrict 

atte tio to ru s i ic t is does ot occur. 

ules 4. a d 4.2 e sure t at if a load or assig actio o a ar occurs, 
a correspo di g use or store actio ill occur so eti e i t e future, i ilarl 

to ules 2. a d 2.2, t ese rules ca e flouted dela i g a use or store actio 

i defl itel . e restrict atte tio to ru s t at a oid t is situatio . 

4 ck 

ertai situatio s require t at a t read e a le to perfor a series of operatio s 
it out i terfere ce fro ot er t reads. I ge eral, t e progra s of t reads 

t . . .t a a e critical regio s t at t e s ould a oid e ecuti g co curre tl . 

It see s reaso a le to tr to pre eta tadffro e teri g t eir critical 
regio s si ulta eousl . atural a to sol e t is pro le i a o ject-orie ted 

fra e ork is to a e o e critical b t related to all t ese critical regio s. 11 

t e t reads a refer to t e critical o ject, ut o 1 o e t read a o t e 

o ject at a gi e ti e, a d o 1 t e o er ca e ecute its critical regio . a a 

pro ides support for t is sort of utual e clusio . e critical regio s are called 
s r i regio s. 

I a a, eac o ject as a u ique k associated it it. t read gai s 

e tr i to a s c ro i ed code regio of its progra perfor i g a k actio 
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o t e lock of t e critical o ject. e t read t e s t e lock u til it e its 
t e s c ro i ed code regio a d perfor s a k actio o t e lock. 

arious t reads a issue lock or u lock actio so t e sa e lock. e lock 
a d u lock actio so a si gle lock are perfor ed i co ju ctio it a ar iter, 
ic restricts t e u er of t reads oldi g a si gle lock to o e at a ti e. e 
speaks of ai e or as t is ar iter, s it aria le aster copies, e 
prefer to t i k of eac lock as co trolled a mast r age t, rat er t a t e 
(possi 1 distri uted) ai e or . 

e odif t e to odel operatio s o locks. e age ts are t reads, 
aria le asters, a d lock asters. e represe t locks as e ers of t e u i- 
erse k. s it aria les, e ide tif lock aster age ts it t e locks t e 

CO trol, so a e er of t e u i erse k is ot a lock a d a lock aster, 

jects are e ers of t e u i erse je t. k ti pe is eit er k or 

k, a d a k ti is a pair co sisti g of a k ti pe a d a k o 
ic to perfor t e gi e actio . e fu ctio k aps eac o ject to its 
lock. 

o see o t e i troductio of locks e sures t at o 1 o e t read e ters its 

s c ro i ed regio , e ust co sider t e rules for t e co curre t e a ior 

of locks. 

r s 

. [p. 4 3] “ e actio s perfor ed t e ai e or for a o e lock are 
totall ordered; t at is, for a to actio s perfor ed t e ai e or 
o t e sa e lock, o e actio precedes t e ot er.” 

2. [p. 4 3] “ ac lock or u lock actio is perfor ed joi tl so e t read 
a d t e ai e or .” 

ule . supports our ie of i depe de t lock aster age ts. e actio s 

o a si gle lock are ordered li earl , ut actio s o differe t locks a occur 

CO curre tl . 

r s6 etT eat read a d L e a lock. 

. [p. 4 6] “ lock actio T o L a occur o 1 if, for e er t read S 

ot er t a T, t e u er of precedi g u lock actio s S o L equals t e 

u er of precedi g lock actio s S' o L.” 

2. [p. 4 6]“ u lock actio t read T o lock L a occur o 1 if t e 

u er of precedi g u lock actio s T o L is strictl less t a t e u er 
of precedi g lock actio s T o L.” 

ule 6. e sures t at a t read’s old o a lock is e clusi e, a d ule 6.2 

e sures t at for e er u lock actio t ere is a u ique precedi g lock actio . 

ut ote t at t e rules alio se eral lock actio so t e sa e lock to occur i 
successio , it o i ter e i g u lock actio . e fi d it co e ie t to t i k of a 
t read as uildi g up a u er of aims o a lock. lock actio adds a clai , 

a d a u lock actio takes o e a a . ule 6. states t at o 1 o e t read a 
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a e a positi e u er of clai so t e lock; furt er ore, a t read a acquire 
ultiple clai so a lock a d surre ders t e lock e a d o 1 e it as 
gi e up all clai s. ule 6.2 states t at a t read a ot release a clai o a 

lock it does ot old; t e u er of clai s it as o a lock ca ot e egati e. 

ese rules e sure t at t e s c ro i atio ec a is restricts s c ro i ed 

code regio s to o e t read at a ti e. t ost o e t read at a ti e a a e a 

positi e u er of clai so a gi e lock, a d so if se eral t reads eed to lock 
t e sa e lock, t e ust co pete for it. 1 t e o e it a positi e u er of 
clai so t e lock is alio ed i to its s c ro i ed regio ; t e ot ers ust ait. 

e fu ctio ai s retur s t e u er of clai s a gi e t read as o 
a gi e lock. e fu ctio s ti retur s t e actio t at t e t read is 
requesti g (if a ). 

t read a o 1 co ti ue t e e ecutio of its progra if it is acti e; 

i. ot s c ro i i g. e c a ge t e t read odule accordi gl , guardi g 

t e rule t r gram it t e ter a ti e?( e ). 

t r a ti e?(t): e ?(s ti (t)) 

ot e rule t r gram, e add t e optio s & d r at h t. e 

add rules for t reads’ s c ro i atio actio s it locks. t read s c ro i es 
it a lock for eit er a lock actio or a u lock actio . 

r £ t rf rm act: s ti ( e ) := {act,£) 

V : c s obj: je t 

c s act: k ti pe 

obj ) t rf rm act 

e rule r at b t creates a o ject a d associates it it a e lock, 
e also odif r at t r a to associate eac e t read it a e lock. 

r r at b t: t ie t t obj 

t k t £ 

k{obj) := £ 

e folio i g rules place so e guara tees o t e co te ts of a t read’s 

orki g e or efore a d after s c ro i atio actio s. 

r s 7 [p. 4 7] “ et T e a t read, let F e a aria le, a d let L e 
a lock.” 

. “ et ee a assig actio To a d a su seque t u lock actio T 
o L, a store actio T o V ust i ter e e; oreo er, t e rite actio 
correspo di g to t at store ust precede t e u lock actio , as see ai 

e or .” 

2. “ et ee a lock actio To L a d a su seque t use or store actio 

T o a aria le V, a assig or load actio o V ust i ter e e; oreo er, 

if it is a load actio , t e t e read actio correspo di g to t at load actio 
ust folio t e lock actio , as see ai 



e or . 
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If a t read t issues a assig actio A o a aria le u a d t e issues a 
u lock actio Ul o a lock ule 7. postulates t at t issues a store actio S 
o u ( it correspo di g rite actio W) sue t A < S <W < Ul. ote t at 
^ & d V are i depe de t; for a u lock actio o a particular lock ule 7. 
applies to a aria les v. us eat read releases a clai o a lock, it is 

e sured t at all its assig ed alues a e ee stored out a d ritte to t e ai 
e or . 

If a t read t issues a lock actio Lk o a lock £ a d t e issues a use or 
store actio US o a aria le v, ule 7.2 postulates t at eit er t issues a 

assig actio ^ o v sue t at Lk < A < U S , or t issues a load actio L ( it 

correspo di g read actio R) o v sue t at Lk<R<L<US. or a lock 
actio o a particular lock £, ule 7.2 applies to all aria les v. o t is rule 

e sures t at t e ti e a t read acquires a clai o a lock, all t e alues 

cac ed i its orki g e or a e ee flus ed out to ai e or . e 
a t read acquires a clai o a lock, it acts as if its orki g e or is e pt . 

1 alues assig ed or loaded i after t e lock actio a e used, a d o 1 

alues assig ed after t e lock actio a e stored out. 

e CO ditio s i posed t ese rules a e so e ra ificatio s for earlier 
rules. read essage issued efore a lock actio ca ot e loaded i after t e 
lock actio , ut ule 2. dictates t at a sue essage ust e loaded i . 

erefore, all pe di g read essages ust e loaded i efore a lock actio . 
Iso, a alue assig ed efore a lock actio ca ot e stored out after t e lock 

actio , ut ule 3.2 dictates t at it ust e stored out. erefore, all assig ed 

alues ust e stored out efore a lock actio . 

e actio s of a lock aster co sist of gra ti g a clai to a lock a d taki g 
o e a a . 



k: c s 

c s t: rea : k ?(t) 

k f r t 

c s f: rea : k ?(t) 

k f r t 

r k f r t: ai s(t e ) := ai s{t e ) + 

s ti (t) := e 

- r v: ar: sa e a e?(t v) 

sa e a e?(t, v) := a se 

r k f r t. ai s(t e ) := ai s{t e )- 

s ti (t) := e 

eters k ?ad k ? deter i e et er a gi e actio is allo- 
ed. lock actio for a t read to a lock £ is alio ed o 1 if t is s c ro i i g 

for a lock actio o £. ule 6. alio s sue a lock actio o 1 if all t reads ot er 

t a t a e o clai so £. ules 3.2 a d 7.2 require t at all pre iousl assig ed 

alues a e ee stored out. ules 2. , 2.3 a d 7.2 require t at all access essa- 
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e ee 
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fro 
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a 
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a el{t,v) 
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?(t): 
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ti (t) 
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e ) a ai s{t 
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t 3v 


ar) res ssi 


1{t,v) r (3m 


P s (t,v)) 








r ci 


r 


c i 







sta dard store actio se ds a alue to t e ai e or fro t e orki g 
e or , ere it as put a precedi g assig actio . der certai circu - 
sta ces, a a alio s a opti i atio i ic a store actio a r its 

correspo di g assig actio , alio i g t e alue to e tra s itted to t e ai 

e or soo er t a ot er ise possi le. is t pe of store actio is called r - 

si t, as it ust e k o a ead of ti e at t e alue of t e assig actio 
ill e. 

prescie t store actio differs fro a or al store actio i t at t e alue 

it se ds to t e ai e or is ot t e curre t co te ts of orki g e or , 
ut rat er so e fres alue. e call t e folio i g assig actio r tr a ti , si ce 
t e alue it puts i to orki g e or is ot a fres alue, ut rat er t e alue 

of t e precedi g prescie t store actio . e fi d it atural to speak of prescie t 

store actio sad retroacti e assig actio s as disti ct fro regular store a d 
assig actio s. 

e odif t e to odel prescie t store actio s. If a gi e t read as 
issued a prescie t store actio o a gi e aria le, it out a correspo di g retro- 
acti e assig actio , t e fu ctio pres t re a retur s t e alue of t e prescie t 

store. 

e defi e rules for t e e actio s of prescie t store a d retroacti e assig . 
ule .4 disallo s a store actio o v. e also odif t e rules - tra sf r 
ad - tra sf r, addi g prescie t store a d retroacti e assig as optio s. 

r t r r s i t t v: c s v: ar: pres t re ?( e v) 

res ssi ?( e u) := a se 

c s val: a e 

pres t re a ( e v) := val 

t p s ( e w) t m 
a (m) := val 

r ssig r tr a ti tv: sa e a e?( e v) := tr e 

pres t re a ( e v) := e 

rki a e( e v) := pres t re a ( e v) 
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rescie t store actio s ust o e t e folio i g rules set out i t e : 

r s [p. 4 ] “ uppose t at a store [a t read] T of [a o - olatile 

aria le] V ould folio a particular assig T of V accord! g to t e rules 

of t e pre ious sectio s, it o i ter e i g load or assig T of V. e 
special rule alio s t e store actio to i stead occur efore t e assig actio , if 
t e folio i g restrictio s are o e ed: 

. If t e store actio occurs, t e assig is ou d to occur. 

2. o lock actio i ter e es et ee t e relocated store a d t e assig . 

3. o load of y i ter e es et ee t e relocated store a d t e assig . 

4. o ot er store of 17 i ter e es et ee t e relocated store a d t e assig . 

e store actio se ds to t e ai e or t e alue t at t e assig actio 

ill put i to t e orki g e or of t read T.” 

If a t read t perfor s a prescie t store actio PS o a aria le v, t ere is 
a retroacti e assig actio PA > PS to v sue t at RA assig s t e alue 

stored out at PS ( ules . ad . ). ules . a d . e sure t at t e alue t 

se ds to ai e or ia a prescie t store actio e ds up i t’s orki g e or 
ia a folio i g retroacti e assig actio . 

urt er ore, t ere is o actio Act t, ere Act is a lock actio or a 

load or store actio o v, sue t at PS < Act < RA ( ules .2-4). ese rules 

e sure t at relocati g t’s store actio o v {i. aki g it prescie t) does ot 
affect progra e a ior, i t e se se t at t e effects of a prescie t store actio 

o t’s orki g e or a d t e ai e or are o differe t fro t ose of t e 

correspo di g o -prescie t store actio . 

e ter s pres t re ? a d retr ssi ? deter i e et er a prescie t 

store actio or retroacti e assig actio is alio ed t e rules, respect! el . 

ules 2. a d 3.2 alio t to store to v prescie tl o 1 if e er s fro v to 

t as ee loaded i a d t ere is o retroacti e assig pe di g. ule restricts 

prescie t store actio s to olatile aria les, a d alio s a retroacti e assig ac- 

tio o 1 if t ere is a precedi g prescie t store actio it out a correspo di g 
retroacti e assig actio . 

t r pres t re ?(f): t ar(v) a e ?(pres t re a ( e v)) 

a ( t 3m s {v e )) 

t r retr ssi e ?(pres t re a ( e u)) 

otice t at t a issue a use actio U o v et ee PS a d RA. If t e 

prescie tl stored alue ere to appear i t’s orki g e or efore t put it 

t ere at RA, t could e d up usi g t e prescie tl stored alue pre aturel . o 
pre e t t is, ule .3 pro i its t fro load! g i fro v et ee PS a d RA. 

or t e sa e reaso , al eit less o iousl , ule .4 pro i its a lock actio for 
t et ee PS a d RA. is is eeded ecause if a lock actio for t ere to occur 
a d t e t ere to use v et ee PS a d RA, ule 7.2 ould require a load 
actio et ee PS a d U, a d sue a load actio is for idde ule .3. 
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elocati g a store actio akes se se o 1 if t ere is o atte pt to store 

et ee t e relocated (prescie t) store) actio a d its (retroacti e) assig ac- 

tio . If t ere to issue a store actio So u ( it correspo di g assig actio 
A) et ee PS a d RA, e ould get t e folio i g u desira le result. S ould 
folio PS, ut t e order of t e correspo di g assig actio s ould e differe t: 
RA ould folio A. us t e alue stored t roug PS ould e e er (z. as- 
sig ed ore rece tl ) t a t e alue stored t roug t e folio i g actio S. ut 
ule 2. ould dictate t at t e e er alue e o er ritte i ai e or 
t e older alue. o pre e t t is, ule .4 pro i its t fro stori g out a alue of 
V et ee PS a d RA. 

o e of t e rules i troduced i pre ious sectio s ( a el , 3.2- a d 7. - 
2) refer to store a d assig actio s a d so ust e odified to acco odate 
prescie t store a d retroacti e assig actio s. e rules as t e appear i t e 
are ot odified e prescie t store actio s are i troduced. 
e odif teters k ?ad a ? so t at tee force ules .2- 

.4. If a t read t as stored out prescie tl to v ut as ot et perfor ed t e 

correspo di g retroacti e assig actio , ule .2 disallo s a lock actio for 

t, ule .3 disallo s a load actio to u, a d ule .4 disallo s a store 

actio to V. o k ?(t), a ?(t) a d st re l{t) e add t e co ju ct 
(Vu ar) e ?(pres t re a {t,v). 

ule . e sures t at if a prescie t store actio o a aria le occurs, a cor- 
respo di g retroacti e assig actio ill occur so eti e i t e future, s it 
pre ious rules, t is rule ca e flouted dela i g a retroacti e assig actio 
i defi itel . e restrict atte tio to ru s t at a oid t is situatio . 

6 Thread j c 

e o CO sider o a areprese ts t reads as o jects. o ject is a i sta ce 
of a progra er-defi ed t pe called a ass. jects are created d a icall 
duri gat read’s co putatio . class defi es t e state aria les of its i sta ces 
a d t e m t s (operatio s) t at a e i oked upo t e . ac t read is 

represe ted a o ject ic is a i sta ce of t e class Thread, s t ere is a 

o e-to-o e correspo de ce et ee t reads a d t eir represe tati e o jects, e 

a ide tif a t read it its o ject. I for atio o at read’s state is eld i 

its o ject. e et ods defi ed i Thread alio a t read to access or odif its 

o state i for atio a d t at of ot er t reads. 

e odif t e to odel operatio so t reads, i ce e ide tif a 

t read it its Thread i sta ce, a e er of t e u i erse rea is ot a 

t read a d a Thread i sta ce. ote t at Thread i sta ces are e ers of ot 

rea ad je t. 

fter a t read is created, it a e started i oki g t e et od start 
upo it. ce started, a t read is o z u til it st s, ic occurs e t e 

t read’s e ecutio e gi e ter i ates or t e et od stop is i oked upo it. 
If stop is i oked o at read, t e t read t r s a ti , sig ali g t e 

occurre ce of a u e pected e e t. ce a t read stops, it is o lo ger ali e 
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a d ca ot e restarted. It is possi le to stop a t read t at as ot started; if 
t is appe s, t e t read ill e er eco e ali e. It is ot stated e plicitl i 
t e at appe s if start is i oked upo a t read t at is alread ali e. 

Ho e er, t e i te t see s to e t at t e i oker of start t ro s a e ceptio 
ad ot i g appe s to t e i okee [ 2]. 

e defi e fu ctio s starte ? a d st ppe ? to represe t t e status of eac 
t read, e also defi e rules tart a d t , ic update t e appropriate! . 

e rules i pose so e o ligatio so t reads ic t e a ot e 
a le to fulfill after t e a e stopped. ules 2. a d 2.3 (folio i g t e strict 
i terpretatio of “u iquel paired”), e er access essage ust e loaded i . 

ule 4. , e er load actio o a olatile aria le ust e folio ed a 
correspo di g use actio , a d ule 4.2, e er assig actio to a olatile 
aria le ust e folio ed a correspo di g store actio . e does ot 
ake it clear et er t ese o ligatio s e te d to t reads t at a e stopped, 
urt er ore, it is ot clear ic c oice is t e ore reaso a le o e. or i sta ce, 

i so e cases it a e desira le to a e t e last assig actio s of a t read stored 

out, ile i ot er cases it a e clearl u desira le; for e a pie, co sider a 
t read ic is stopped ecause it is co puti g erro eous results, fiiciall , t is 
is still a ope issue [2 ]. or si plicit , e take t e ie t at stopped t reads 

are ot o ligated to do a furt er actio s. 

e rules i pose so e o ligatio s o aria les ic a ot e fulfilled 

t e ti e t e e ecutio of all t reads ter i ates; i particular, ule 2.4, 

e er store essage ust e ritte . us it a still e ecessar for aria les 

to rite so e update essages i e e after all t reads a e ter i ated. 

t read t at is ali e ca ess , i ic case it re ai s ali e ut its 
e ecutio e gi e does ot i g. t read is suspe ded e so e t read (pos- 
si 1 itself) i okes t e et od suspend upo it. suspe ded t read r s m s 
( eco es u suspe ded) e so e ot er t read i okes t e et od resume 
upo its Thread i sta ce. It a e useful to suspe d a t read e it ca - 

ot ake progress itself, free! g resources for ot er t reads t at ca ake 

progress, a a suspe ded t read issue load or store actio s? fiiciall , t is is 

a ot er u resol ed issue [2 ] . Here e c oose t e ore per issi e i terpretatio , 

alio i g suspe ded t reads to issue read a d load actio s. 

e add t e fu ctio s spe e ? to represe t t e suspe ded status of eac 

t read, e also defi e rules s ad s m , ic update t is fu ctio . 

t read a e arked as a am . uc t reads are i te ded to e e- 

cute o 1 i CO ju ctio it o -dae o t reads, perfor i g “ ousekeepi g” 
actio s ic assist o -dae o t reads, ut o actio s useful i t e sel es. 

or t is reaso , o ce all o -dae o t reads a e stopped, e ecutio of all 

t reads alts. progra starts it a si gle o -dae o t read. e t read 

starts it t e dae o status of t e t read t at creates it, ut its status ca 
e c a ged ia t e setDaemon et od. 

o our e add t e fu ctio ae ?, ic deter i es a t read’s 

curre t dae o status, a d t e rule tarn stat s, ic updates t is fu - 

ctio . e also odif t e rule r at t r a . t read is added to t e je t 
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u i erse a d is i itiali ed as u started, u stopped a d u suspe ded. It i erits 
t e dae o status of t e t read t at created it. 

e defi e a rule I k t r a m t , icc ooses a o g t e optio s 
tart, t , s ad t a m stat s. e odif t e t r gram 

rule, addi g t e optio I k t r a m t .oatie?e add t e co ju cts 
t s spe e ?(t) ad e ?(s ti (t)). e also odif t e rea o- 

dule, guardi g t r gram it a i e?( e ) a tat rea s? 

e defi e t e ter a i e? to represe t t e ru i g status of a t read. Iso, 
t e ter at rea s? deter i es et er all o -dae o t reads a e ter- 

i ated. 

t r a i e?(t): starte 7{t) a t st ppe ?{t) 
t r at rea si: (Vt rea a i e?(t)) ae l{t) 

e odif t e odules for aria les a d locks. If all o -dae o t reads 

a e ter i ated, t e o 1 actio a aria le a take is to rite i update es- 

sages, so i t e ar odule e guard t e read optio it tat rea s?. 

ere are o actio s for locks to take o ce all o -dae o t reads a e ter i- 

ated, so i t e k odule e guard t e lock a d u lock optio s it t e 

ter tat rea s?. 

7 i i g ific i 

ile a t read olds a particular lock, ot er t reads i eed of t at lock are 

ot alio ed to proceed. I certai cases, a t read oldi g a lock a reac a 

state fro ic it ca ot progress itself; i sue a case, suspe di g t e 
t read a ot e a solutio , as t e t read ould still old t e lock e e e 
suspe ded. It ould e desira le for t e t read to gi e up co trol a d release 
its locks te poraril , so t at ot er t reads a acquire t e . 

a a as uilt-i support for t is, t roug t e ec a is s of aiti 5 a d 

tifi ati . If a t read as a clai o t e lock of a o ject, it a release 

all its clai so t e lock a d disa le itself i oki g t e et od wait of 

class Object o t e o ject. ot er t read a sig al to t e aiti g t read 
t at furt er progress is possi le t roug t e notify or notifyAll et ods. I 

t is a , a aiti g t read a resu e e ecutio e it is possi le, it out 

repeatedl c ecki g its state, ac o ject as a azt s t, e pt e t e o ject 
is created, ic co tai s all t reads aiti g for t e lock o t e o ject. 

e et od wait is i oked at read t o a o ject o&j. et read t ust 

old t e lock of o 6 j; if it does ot, a e ceptio is t ro . et fc e t e u er 

of clai st as o t e lock of o 6 j; t e fc u lock actio s are perfor ed, a d t is 
added to t e ait set of obj a d disa led. e t is re-e a led, it atte pts to 
regai fc clai so t e lock; it a eed to co pete it ot er t reads to do 

t is. ce t e lock clai s are restored, t e wait et od ter i ates. 

e odif t e to odel aiti gad otificatio actio s. t read goes 

t roug se eral p ases ile it aits o a lock, irst it s c ro i es it t e 
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lock to release all clai so t e lock. e it aits to e otified a ot er 
t read. ce it is otified, it s c ro i es it t e lock to regai all t e clai s it 

released, or a t read t at is aiti go a lock, t e fu ctio ait e gi es t e 

curre t p ase of t e t read, t e fu ctio ait k gi es t e lock o ic it is 
aiti g, a d ai s e ai gi es t e u er of clai s t at it as (te poraril ) 
released. 

e i troduce a rule for a t read’s actio s ile aiti go a lock. aiti g 

ote 



i 


ol 


es s c 


ro i 


atio 


it 


t e lock 


duri g t e 


u lock a d relock p ases. 


t 


at t 


e aiti 


g t 


read 


does 


ot c a 


ge 


its 0 


ode fro ait to relock: 


is 


do 


e a ot er t read, t 
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e et od notify is also i oked a t read t o a, o ject obj. e 
t read t ust old t e lock of obj; if it does ot, a e ceptio is t ro . If t e 

ait set of obj is ot e pt , o e t read is re o ed fro it a d e a led. e 

et od notifyAll operates si ilarl ut re o es a d e a les all t reads fro 
t e ait set. eit er et od releases a of t’s clai s o t e lock of obj, so t ere 
is o guara tee t at t e lock ill e ade a aila le to t e otified t reads; t is 
is left up to t e progra er. 

e i troduce rules for otificatio . e et od notify operates o a par- 
ticular t read aiti go a particular lock; t e et od notifyAll operates o 



all t 


reads aiti g o 


a particular lock. 


r 


tif t: ait 


e(t) := re k 


r 


tif : 




c 


s obj: je t 





c s t: rea : ait e(t) ait a ait k(t) k(o6j) 

tif t 

r tif : 

obj: je t 

- r t: rea : ait e(t) 

tif t 



c 



s 



ait a 



ait k(f) 



k{obj) 
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e at read stops, t e et od notifyAll is i oked upo its o ject. 
is alio s a straig tfor ard i pie e tatio of a tec ique called t r a is. 

0 sider a see ario ere a t read t is e pected to start e ecuti g o 1 after 

a ot er t read t as stopped. e a of i pie e ti g t is is to a, e t i 

it t aiti g u til t as stopped efore proceed! g. i ce notifyAll is 
i oked e at read stops, t a joi it t si pi aiti go t’s o ject. 

1 cestoppi gat read! ol es i oki g notifyAll o its represe tati eo ject, 
e c a ge our rule for stoppi g t reads accord! gl . 

e poi t out a su tie issue. It is ot clear fro t e et er otifica- 

tio precedes stoppi g or i rsa e at read stops. Ho e er, it see s 
reaso a le t at if stoppi gad otificatio do ot occur as a si gle actio , t e 

otificatio ust precede stoppi g (at least i t e case ere a t read stops 

itself). is lea es ope t e possi ilit t at ot er t reads a e otified of t e 

t read’s stop actio efore t e t read as actuall stopped, particular! if t e 

otificatio process takes a relati el lo g ti e. 

reads a e ecute aiti g or otificatio actio s. ecutio of a a a pro- 
gra does ot proceed ile a t read is aiti g, so to t e ter a ti e? e add t e 
CO ju ct ait e{t) yf ait. o t e rule t r gram, e add t e optio s 

tart t ait, tif ad tif . e also add t e guard e ?( ait e( e )); 
if t is e aluates to tr e, t e t e rule ti t ait fires; ot er ise, o e of 
t e ot er optio s is c ose . 

cl i 

e a a CO curre c odel is curre tl i a state of fiu . esearc ers are pro- 

posi g odificatio s to t e odel, to alio co o co piler opti i atio sad 

progra i g practices t at are curre tl pro i ited t e odel [ 9] . It is our 

elief t at a satisfactor successor to t e curre t odel ust start it a fir 

fou datio . e specificatio of t e odel ust ot e su ject to ultiple i - 

terpretatio s, as is t e descriptio i t e . It is equall i porta t t at t e 

specificatio e access! le to progra ers o is to use co curre c . ile 

ultit readed progra i g is i ere tl co plicated, t e et od of docu e - 
tatio s ould ot e acer ate t e pro le . 

e feel t at t is ork as se eral t i gs to offer t e a a co u it . ur 

alter ati e ie of a a co curre c ri gs to lig t so e issues t at ig t ot er- 

ise re ai idde i t e descriptio . s t e odel is at e aticall 

precise, it ca sta d as a u a iguous cross-platfor sta dard for t e la gu- 
age. ur accou t of a a co curre c as a i perati e ffa or t at is fa iliar to 
progra ers, et e are ot restricted to a purel i perati e approac ; e are 
free to use a declarati e st le ere er it is ore atural to do so. i pie e - 

ti g t e CO curre c odel (al eit i a co pletel a stract a ) e ca readil 

see o t e arious co strai ts of t e defi itio i teract it o e a ot er. 

is is uc less o ious if co strai ts are prese ted i isolatio , as t e are i 
t e . i all , progra ers i terested i ultit readed a a ca e plore t e 
odel usi g t e ofer protot pe. e elie e t at s are a useful 

specificatio tool for ot t e curre tad future odels of a a co curre c . 
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tr ct. verif ing compiler ensures t at t e compiled code is al- 
a s correct but t e compiler ma also terminate it an error mesage 
and t en fails to generate code. e argue t at it respect to compi- 
ler correctness t is is t e best possible result ic can be ac ieved in 
practice, uc a compiler ma even include unverified code provided t e 
results of sue code can be proven correct independent! from o t e 
are generated, e t en s o o abstract state mac ines ( s) can be 

used to uniforml describe ted namic semantics of t e programs being 
compiled across t e various intermediate transformation steps occurring 
it in a compiler, esides being a convenient tool for describing d na- 
mic semantics t e fact t at e do not ave to s itc bet een different 
descriptional met ods is found to be e tremel useful. 



I tr d cti 

an statistics attribute more t an 5 % of all soft are failures to problems in 
requirement engineering ereas programming errors account for a muc smal- 
ler percentage, cf. [23,49]. ut at if e er t ing in soft are de elopment as 
correct e cept t at errors ere introduced during compilation? is case is not 
as infrequent as some people t ink, cf. [52,37, 2, 3, 4]. speciall programs of- 
ten s o different be a ior it and it out optimi ation. e generated code 
s ould e actl be a e like t e source program; t is is of utmost importance 
especiall in safet -critical applications. e requirement can onl be ensured 
b a compiler ic erifiabl produces correct code, ut despite man efforts, 
cf. e. g. t e efforts for alidating ADA-compilers, no compiler on t e market for 
a realistic programming language sue as Ada, , -|— I- or Java is fulfilling 

t is requirement. It is t erefore no surprise t at safet sur eillance institutions 
sue as t e “ ec nisc e ber ac ungs ereine” ( ) in erman often do not 

accept soft are ritten in ig -le el languages but instead c eck t e resulting 
assembl code and require t e use of non-optimi ing compilers. 

McCarthy and Painter, [36], ere first considering correctness of compi- 
lation but for arit metic e pressions onl . an people dealt it t e problem 

ur c a . ( ds.): pp. 77— 

© pr g r- r ag r d rg 
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t ereafter as discussed in ect. 9 but nobod succeeded in producing a correct 
compiler for a realistic programming language it at pical mac ine language 
as target. In our opinion t o main causes a e lead to t is: 

e problem as considered in an idealistic, i.e. mat ematical setting in 
ic common data t pes sue as r and fl ere considered like 

integers and reals in mat ematics, i. e. t e range and precision limitations 
on computers ere ignored. In t e same ain storage limitations at compile- 
or run-time and ot er t pes of resource limitations ere ignored. 

e formal met ods c osen for describing t e source and target language 
and of t e intermediate languages in t e compiler made t e treatment of 
realistic languages too difficult, s a consequence attention as restricted to 
relati el small programming languages disregarding t e comple ities and 
dark sides of realistic languages, or t e same reason code generation as 
mostl restricted to stack mac ines using t e data t pes of t e source lan- 
guage. Iso, t e soft are arc itecture for correct compilers in past efforts 
as speciall adapted to t e erification needs. 

In t e present contribution e first discuss t e notion of correctness, e ar- 
ri e at t e conclusion t at t e main goal s ould be t e correctness of t e target 
program produced, not primaril t e correctness of t e compiler itself. is in- 
sig t alio s for reusing t e results of compiler researc of t e past decades and 
for using con entional compiler arc itectures. is discussion is closel related 
to t e problem o to deal it resource limitations of all kinds, e t en intro- 
duce Gurevich’s abstract state mac ines ( s) and so t at t is met od 
is a suitable means for formal! ing t e (d namic) semantic of programming lan- 
guages on all le els of representation. e ad antages include t e facts t at e 
do not a e to speciall adapt t e compiler arc itecture to erification needs, 
and t at e do not a e to s itc bet een different formalisms for describing 
semantics during t e compilation process. 

rr ct ss pil ti 

e consider a pair ( , ) consisting of an imperati e or object-oriented pro- 
gramming language sue as Ada, , -I— 1-, Sather-K, [2 ], or Java and 

a microprocessor sue as t e Ip a represented b its mac ine language 

. or simplicit e restrict oursel es to sequential programming languages, 
e translation of a source program tt in to a target program tt = C (tt) 
in is certainl correct if tt s o s t e same be a ior as tt, i. e. on all inputs 
7T is producing t e same outputs as tt. 

state of a computation is called sr if it is t e initial or final state or, 
if t e operation leading into t is state is an input or output operation, bser a- 
ble states are t e onl states representing an effect noticeable in t e en ironment 
of a computation. If e consider states q,q of t e e ecution of tt and tt res- 
pect! el as sets of state ariables t en t e requirement s h i r asks for 

e programmer or compiler riter ma , at is discretion, designate furt er states, 
e. g. procedure entries or e its, as observable. 
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identif ing corresponding state ariables in q and q olding t e same alues in 
corresponding obser able states. e represent t is requirement b a relation p 
bet een states of tt and tt. 

orrectness of translation t en requires t at a sequence q ,q , ,qi,. . . of 
obser able states in t e e ecution of tt translates into a sequence q ,q , ... ,q^, .. . 
of obser able states of tt and p{qi) — q^ olds for corresponding states. 

e be a ior of tt ma be indeterministic: ig. s o s t e ac die grap of 

possible e ecution pat s for t e program 

do true -> x := 1 
[] true -> X := 0 
od 

in Dijkstra’s language of guarded commands. e implementation ma c oose 



x:=? 




i . . ecution pat s for an indeterministic program 



an arbitrar pat : 

do true -> x : = 1 
od 

is a correct translation of t is program, or t is reason e can onl require t at 
eac sequence of obser able states of t e translated program tt = C{tt) possesses 
a corresponding state sequence of t e source program tt; t e con erse is not true. 
Ideall e ant to preser e t e termination be a ior of t e source program, 
or reasons discussed in t e ne t section t is is not possible in a realistic en i- 
ronment: e must admit t at t e target program tt is prematurel terminating 

due to e cessi e resource demands. us, during compilation e cannot pre- 
ser e total but onl partial correctness. Itoget er t is leads to t e folio ing 
definition of correct translation: 

iti . t rg t r gr tt is c rr ct tr s ti f s rc r gr 
•K -K = C(7t) if f r i ts f th f i 9 c iti s is 
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ch s q c S = q ,q , ,qf., ... f s r st t s f tt th r is 
sq c S = q ,q ,...,qk,... f sr st t s f tt ith q^ = p{qi) f r 

i= , . . . ,k, . . . If S rg r tr i ts ft r k st s th s S. 

ch s q c S = q ,q , ... ,qf.,qf. f s r sttsfirtri - 
ti g ith rr r ss g t r s rc i ti i st t th r is 

s q cS = q,q,...,qk,...fsr st t s f tt ith q^ = p{qi) f r 
i= ,...,k. 



I th c s s th st t s q c s st c t ith r s ct t s r iit . 



li it s rc i it ti s 

at ematicall speaking t e lengt of nearl all programs e ceeds k lines ere 
k is an arbitraril large number, e. g. t e number of atoms in t e uni erse. 
compiler C running on a computer in t e real orld cannot cope it sue 
programs. It must instead be prepared for refusing source programs because t e 
compilation ould demand more resources, e. g. storage, t an is a ailable. e 
could e en argue t at 

begin 

print ("program not compilable due to excessive resource requirements") 
end 

is a correct compiler for arbitrar pairs ( , ) it out regard o t ose 

languages are defined. 

us, correct compilation is primaril an engineering issue: e ant to pro- 

duce t is error message for as fe programs as possible and deli er a correct 
target program for t e remaining source programs, ut requiring t at a compi- 
ler is deli ering correct target programs for source programs is unrealistic. 

or becoming realistic e must restrict our goal: e do not ant to construct 

c rr ct compilers but are instead interested in rif i g c i rs: t e ensure 
t e correctness of t e target program in case t e deli er one; and, of course, 
e ant to make t e set of correctl translated programs as large as possible, 
or similar reasons a compiler cannot be kept responsible if at runtime of 
t e generated program an integer multiplication o erflo s, or if t e number and 
si e of objects to be allocated e ceeds certain bounds, or if t e operating s stem 
on t e target mac ine cannot cope it t e number of simultaneous! acces- 
sed e ternal de ices and communication lines, etc. In a realistic en ironment 
t e programmer of t e source program must take precautions against t ese pro- 
blems, not t e compiler riter. or all sue reasons e must alio not onl t e 
compiler but also t e generated target program to prematurel terminate it 
an error message due to iolation of resource limitations. 

If t e processor running t e compiler or t e target program is too slo to 
ac ie e t e desired result in acceptable time e also a e a iolation of resource 
limitations. In practice, en real-time constraints are e ceeded, it is infeasible 
to decide et er t e programmer as demanding too muc or t e compiler 
generated bad code or t e target processor as too slo . e t us do not count 
e ecution speed of t e target program amongst t e correctness criteria. 
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et us assume t at e a e subdi ided a compilation C : tt ^ tt into a sequence 
of t o or more translation steps C:7r^7r,C:7r — >7r, and t at eac step 
ields correct results according to definition . en, as long as t ere are no 
resource iolations, eac obser able state q oi-K as a corresponding obser able 
state q it q = P {q ) and in turn t ere is an obser able state q it q = 

p (q) and ence q = p {p {q)) it appropriate! defined relations p and p . 
If e define p{q) = p {p (q)) t en definition is t erefore also fulfilled for t e 
sequence C — C ;C of t ese steps. 

e term t is propert rtic c siti it of translation steps. It alio s 
t e introduction of an arbitrar number of intermediate program representati- 
ons 7T , . . . into t e compilation process. If eac indi idual compilation step is 
correct t en also t e sequential composition of t ese steps, raditional compi- 
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i . . ompiler arc itecture 



ler arc itecture is using ertical compositionalit for decomposing compilations 
into a sequence of simpler steps eac of ic can be dealt it b appropriate 
met ods and tools, cf. ig. 2 and e. g. [54,39]. 

ctuall , t e first ro of ig. 2 s o s a decomposition of a compiler into modules 
onl , not necessaril into sequential steps; o ever, locall for eac element of an 
intermediate representation t e p ases folio eac ot er sequential! from left to rig t. 

onceptuall it is t us justified to consider t e p ases as sequential steps alt oug t e 
actual merging in time ma be muc more comple . 

e semantics of programming languages and t us t e be a ior of program 
e ecutions is usuall defined b attac ing meaning to certain p rases of a pro- 
gram as gi en b t e (conte t-free) grammar of t e language. e meaning of 



2 



oos and . Zimmermann 



larger p rases and t e program as a ole is t en deri ed b substituting t e 
semantics of subp rases into t e semantics of larger ones. is propert is called 
h ri t c siti it (of language elements). 

ere ma be s ntactic and semantic limitations for t e admissibilit of sub- 
p rases. program is termed staticall correct if t ese conditions are fulfilled. 

ompilers c eck t ese conditions during semantic anal sis and refuse to gene- 
rate code for incorrect programs. en discussing erif ing compilers e ma 
restrict attention to staticall correct programs. 

Hori ontal compositionalit permits to deal it one language element at 
a time during t e erticall decomposed translation steps. It t us adds to t e 
structuring of t e compiler. e met od is, of course, not applicable before e 
a e determined t e p rase structure and during optimi ation steps ic on 
purpose consider se eral language elements toget er. 

is raises t e question o e can certif t e correctness of t e abstract 
s nta tree for a gi en program te t. e requirement s h i r does not 

elp since ted namic be a ior is onl defined for t e p rases isible in t e 
s nta tree ereas t e program te t is onl ser ing as a e icle for deri ing 
t is tree, imilarl , as soon as e a e decided ic instruction sequences cor- 
rectl represent t e intended be a ior of p rases in t e source program e a e 
establis ed t e correctness of t e target program. e remaining assembl and 
linking p ase onl decides about t e proper encoding of t e resulting instruc- 
tions but does not c ange t e semantic meaning, o to sa , t e assembl p ase 
acts like t e in erse of t e transformation source te t ^ s nta tree, but on a 
different le el of abstraction. 

us, basicall onl t e mapping p ase in ig. 2 is concerned it t e se- 
mantic correctness of compilation. e remaining p ases deal it decoding and 
encoding t e structures ic carr semantic meaning, speciall t e transla- 
tion process seen as a mapping bet een source and target semantics is confined 
to t e mapping p ase onl . is insig t as been ignored for a long time in t e 
discussion about correct compilation. 

or le ical anal sis, parsers, code selectors and ot er p ases routinel gene- 
rators are used for deri ing t e corresponding compiler p ase. erif ing sue 
p ases ould require to erif t e correctness of t e corresponding generators, 
a er ea and burdensome task, re ious ork on correct compilation t us 
relied on and- riting t ese p ases and erif ing t e and- ritten code. In t e 
ne t section e s o t at t ere is an easier a of dealing it t is problem 
en e rela t e requirements and onl request t at (for certain source pro- 
grams) t e output of a p ase is correct instead of requesting t at t e code of 
t e compiler p ase is producing correct results under all circumstances, nder 
t is condition e can use un erified generators and ot er tools as in traditional 
compilers and ne ert eless trust t e resulting code. 
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ri i pil rs: s r r r cki 

rogram c ecking as originall introduced for algorit ms b Blum and Kannan, 
[ ] . e present it ere as in [26] for erif ing t e outputs of s stems sue as com- 
pilers or parts t ereof. 

et C be a program implementing a function /: / — > O it precondition 
P{x) and postcondition Q{x,C{x)) on input x. et ch ck r{x,y) : be a 

function t at returns t e alue of Q(x, y). onsider t e program 

function C {x : I) : O 
y := C{x)\ 

if ch ck r(x,y) then return y 
else abort; 
end; 

and assume t at C (cc) does not abort. en t e result Q{x,C (x)) olds if 
ch ck r is correctl implemented. us, if C does not abort t en t e result 
y = C(x) fulfills its postcondition no matter o it as computed. In particular, 
t e partial correctness of C does not depend on t e partial correctness of C. 
erefore e onl need to erif ch ck r but not C for getting a erified result. 
In practice t e erification of ch ck r is often muc simpler t an t e erifi- 
cation of C. is is particular! true if C contains a lot of optimi ations ic , 
from t e correctness point of ie , are irrele ant as long as t e maintain some 
simple correctness conditions. . g. t e register allocator it in a compiler is 
correct as long as t e alues assigned to t e same register a e non-o erlapping 
lifetimes; an optimi ing register allocator must maintain t is condition ile it 
is de oting most of its effort to a oiding spill code as far as possible; its qualit 
in t is respect does not influence its correctness. 
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. ines of program code to verif for e ample back-end 
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e applied t is approac to a compiler front-end for a subset I , [ 9, 
32]. etails can be found in [3 ]. ab. s o s t e results, ab. 2 s o s similar 
results for t e code selection p ase using t e back-end generator , [22,2 ]. 

e c ecker as been ritten in t e object-oriented language Sather-K, [2 ]; a 
subset of Sather-K comparable to Java ill be t e first realistic language for 
ic e e pect to present a erif ing compiler, s can be seen in bot cases 
t e erification effort for tec ecker is b orders of magnitude lo er t an for 
t e generator or t e generated compiler p ase. 

6 t s t ri d 

rogram c ecking onl erifies t at a result y obe s its postcondition Q{x,y). 
e ert eless t e result could be rong because t e postcondition Q does not 
ensure t e required properties of y. or a erif ing compiler e must distinguis 
se eral proof obligations: 

erification of tec ii g s cific ti : e compiling specification de- 

scribes t e correspondence of source and target language in formal terms. 

ource and target languages are usuall gi en b informal descriptions, e. g. 
an I -norm for t e source language and processor descriptions b ard are 
manufacturers . 

2. erification of t e c i r s cific ti : is specification introduces t e 

arious compiler p ases, intermediate representations and data structures, 

e. g. asin ig. 2. ormall it must be erified t at ertical composition of t e 
compiler p ases leads to t e mapping gi en b t e compiling specification. 

3. erification of tec i r i t ti : proof is required t at t e a- 

rious parts of t e compiler arc itecture are correctl implemented according 
to t e compiler specification. 
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4. erification of tec i r c i g: o matter et er t e compiler is 

implemented as a program in a ig -le el language or directl in assembl 
code ard are onl accepts bit sequences as inputs. us e a e to ensure 
t at t e s mbolic code is properl encoded b bit sequences as required b 
t e ard are. 

e compiling specification can onl be erified b and; erification tools 
cannot be applied since t e original descriptions cannot be e plored b formal 
means. 

In practice compiling and compiler specification are usuall combined. en 
t e specifications underl ing t e compiler p ases sue as t e regular e pression 
describing t e le ernes, t e conte t-free grammar, etc. must be erified b and. 

is combination re eals t at t e specification of t e mapping p ase relating 
notions and concepts of t e source and t e target language is t e crucial part of 
all t ese specifications. 

s far as t eorem pro ers can be applied t e erifi project relies on t e use 
of , cf. [2 ]. nl t e erification of t e implementation can be (partiall ) 
replaced b program c ecking. 

erification of t e encoding can be ac ie ed b program c ecking based on 
t e specification of t e mapping of s mbolic assembl code to binar code. In 
principle also t e results of t e linking p ase and of t e s stem loader must be 
ckecked; t is is presentl not part of our project. 

ompiler p ases and program c eckers are programs t emsel es and t eir 
correctness depends on t e correctness of t e compilers used to translate t em. 
o break t e c cle t at a erif ing compiler assumes tee istence of anot er 
erif ing compiler, a suitable bootstrap process is discussed in [27]. 

7 str ct t t c i s 

o far e a e discussed at as to be done for ac ie ing a erif ing compiler 
and argued t at sue a compiler could be built along t e guidelines of traditio- 
nal compiler arc itecture. nderl ing as t e assumption t at e a e formal 
description met ods at our disposal b ic e can formal! e t e requirement 
s h i r and erif t at it is maintained during a compilation. 

4 ► ‘?,*i 

P P 

4, ►P'i*! 

i . . orresponding observable states 



e requirement asks for establis ing t e relation p bet een corresponding 
obser able states as in ef. ; t e diagram ig. 3 must commute, o t is end 



6 



oos and . Zimmermann 



e must look into t e details of t e representation of states and o t e are 
d namicall transformed b e ecuting statements and instructions respecti el . 

ccording to our e perience abstract state mac ines, [29, ], pro ide adequate 
means to formall andle t is problem. 

n str ct t t chi ( ) is a tuple ,^i , r s) ere S 

is a signature, and are sets of H-formulas (t e z iti and i ri t 

c iti s), and r s is a finite set of tr siti r s. transition rule is a 

pair {ip, t s), denoted b 

i t t s 

ere v? is a i7-formula and t s is a set of pairs t := t of i7-terms, called 
t s. e set of st t s is t e set lg(£') of if-algebras t at satisf t e S- 

formulas in >Pi , i. e. g is a model for in t e sense of logic, q \= >Pi ; |-]g 
denotes t e interpretation function of s mbols of S in if-algebra q. state is 
i iti iS- q\= <Pi . 

rk . is definition of s slig tl differs from t e usual definition. 
Instead of defining t e states to be 27-algebras, e define t em as sets of 27- 
algebras t at satisf a set of formulas. t is modification e can pro e desired 

properties of s b logical calculi more easil . 

e st t tr siti r ti ^ is based on transition rules. Intuiti el , a 
transition rule (</?, pdates) fir s if its condition (p is satisfied, ormall speaking 
t e condition is true in state q iS q \= p. e updates t := t of t e rule are 
t en e ecuted and c ange t e interpretation of some s mbols in t e state, 
state q is fi iff no rule fires in q. 

et c{q) be t e set of updates e ecuted in state q. c{q) is c sist t iff 
for all f{t,...,tk):=t,f{t,...,t^):=t,q\=t =t A ■ ■ ■ htu = t^ ^ t = t 
olds. en t e state transition relation g — > g is defined b 

f Wg 3 f{t ,...,tn) :=t€ c{q) 

I/lg(® J ■ ■ ■ ) \ it pilg = Oj, i = , . . . ,Tl 

[|/]q(a ,...,an) ot er ise 

for eac fc-ar function s mbol / of 27 iff c{q) is consistent, q \= <Pi and 
|Tlq = |T]g for all sorts of 27 (i.e. t e interpretation of sorts is not c anged b 
t e state transition). 

pil rs s Itist p r s r ti st s 

In t is section, e focus on pro ing t e correctness of t e compiling specification, 
i.e. t at t e obser able be a ior of a program is preser ed during compilation. 

e assume t at t e d namic semantics of a program is gi en b an (not 

onl its obser able be a ior). 

or sequential languages and processors a state transition q ^ q can be split 
into t o parts: 



t ^ t denotes a 27-equation. 
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. determine t e flo of control, i. e. t e ne t state q; 

2. e ecute t e remaining updates occurring during t is transition. 

e ne t statement or instruction (after a conditional jump) q possibl depends 
on a oolean e pression it a alue alread kno n in state q but unkno n 
during compilation, q is represented in language and processor descriptions b 
distinguis ing a state ariable t t sk indicating t e ne t state, s long as 
e solel consider t e flo of control, its refinements and its translation e can 
abstract from t e details of s and concentrate on t is state ariable onl . 
is leads to t e notion of state transition s stems (STS) as defined in ect. . . 
tate transition s stems deal it d namic sequencing of states. en a 
compiler transforms t e state sequence t en it also transforms t e sequence of 
obser able states. us, t e obser able states to be preser ed can be defined 
it in state transition s stems alt oug t e proof t at t e be a ior is actuall 
preser ed requires details onl a ailable in t e full descriptions. 

e principle of constructing t e operational semantics of a program b o- 
ri ontal composition as e plained in ect. 4 leads to compositions of state tran- 
sition s stems from “smaller” ones defined in ect. .2. efinements of composed 
state transitions s stems can be obtained from refinements of t eir components. 



. tat ra siti st s 

ormall , a, st t tr siti s st (STS) is a triple S = ere Q is 

a set of states, I C Q is a set of z iti states and Q x Q is a transition 
relation. state q € Q is fi iff t ere is no g G Q it q ^ q . r qq 
/ 5 is a finite or infinite sequence of states {q ,q ,q , . . .) sue t at g G / and 
qi- — > qi for all < i. run is c t iff it is infinite or its last state is final. 

s -r of a run qq is a subsequence of qq. sequence of states is a sub-run 
of S iff it is a sub-run of some run of 5. STS is trz z iff — >= 0 and sic iff 
I X (Q \ I) . e onl consider non-tri ial STSs. er run of a non-tri ial 
basic STS consists e actl of one state transition. 

n A={S,(l>i ,<?i , r s) defines a STS 5^ = (Q, /, ^) it 

Q = {qe ig(r)Uh<^i } 

I = {q£ Ig(T') \q\=<Pi U }, and 
— > is t e transition relation of A. 

et S = S = (Q ,/,—>) be STSs and (j> : Q ^ Q be a partial 

function it domain (^). ompilers transform programs frequentl b 

refining t em: a single state transition of S is replaced b a sub-run of a more 
detailed state transition s stem S. S <p-r fi s 5 iff 

(i) I C (<^), 

(ii) m C I , 

(iii) 4>{q ) 4>{qn) for e er sub-run (g , . . . , gr„) of 5 it g , G (^), 

<t>{q ) 7^ and (7 , . . . , ^ (</>), cf. ig. 4. 
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— ►qj — ► — -q-n. 



i . . Refinement and abstraction of STSs 




i . . Hori ontal decomposition 



on ersel S is called a 4>- str cti of S. e refinement (abstraction) 
is : iff (/) is injecti e and (f)(q ) ^ (j)(q ) for e er q ^ q . e refinement 

(abstraction) is c t iff </> is surjecti e. e refinement (abstraction) is t t 
iff (/) is a total function it t e additional properties t at is final in 5 if g 
is final in S and t ere is no infinite sub-run {qi : i € N) it 4>{qi) final for an 
t G N. 5 and S are is r hie iff S ((erefines S for a total bijecti e function 
4> : Q ^ Q . 

rk 2. or final states g of 5 it is not ensured t at g G {(j)) and (j){q) is 
final in 5 . It seems desirable t at properties analogous to (i) and (ii) old for 
final states. Ho e er, for constructing correct compilers t e definition abo e is 
e actl at is needed: final state q ^ {(j)) represents an abortion of an 

e ecution due to iolation of resource limitations. 



rk 3. e semantics of a program ill usuall define man intermediate 
states bet een t o obser able states. e ma abstract t e describing 

sue a program to a STS or, con ersel , e ma consider t e description 

as a refinement of a STS ic onl contains obser able states. en it is t is 

abstraction, not t e details of t e original , ic must be preser ed during 

compilation. e abstraction function (/> is t us a special case of t e more general 
relation p bet een states of t o STSs. 

If S refines a STS 5 t en e er run of S induces a run of S, cf. ig. 5: 

r . tS={Q,I,^) S t STSs 4 > : Q ^ Q rti 

f cti . S (j)-r fi s S iff ch r f S is s q c f s -r s {q , . . . , q^} 
s ch th t f r ch s -r {qi,...,qj) f th f igc - 

iti s h s 



h r is s -r {qi, . . . ,qk, . . . ,qff fS (p{qk) = q^. f r k = i, . . . ,j . 
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j = i+ th r is s -r {q^ \ . . . f S ith 4>{q^ '>) = q. 

^(q(m)) _ q(k) ^ {(jj) f r < k < m. 

e refinement relation on STS is transiti e: 

r 2 t p is t). t Si = {Qt,Ii,^i) i = ,2,3 

thr st t tr siti s st s. If S (j> -r fi s S S 4> -r fi s S th S 

(j) o (j> -r fi s S . S is t t r fi t f S if th r fi ts r t t . 

e are interested in t ese step ise refinements since t e are used in ori on- 
tal composition and b translation steps ic act like macro-substitutions, ut 
compilers based on pure macro-e pansion produce inefficient code in particular 
for I -processors, tep ise refinement for e ample ould forbid optimi ati- 
ons t at c ange t e order of state transitions sue as instruction sc eduling and 
code motion. 

o cope it t is problem e replace in eorem 2 t e abstraction function 
4> h a more general relation p Q Q xQ but still request t at 5 is a refinement 
of 5 . en t e relation 4> = <j) o p must be a partial function, urt ermore 
conditions (i)-(iii) for refinements must be ensured b (j) . 

or condition (i) e require I C (p) = {q( ) g Q | 3q^ ^ G Q .q^ ^ p 

q^ )} and p{I ) C / . ince I C ((j) ) e t en a e p{I ) C (^ ) and 
t us / C (0 ). 

p{I ) C / also implies condition (ii): since S 4> -refines S e a e (j> {I ) C 
I . Hence (f> (I ) Q (j> {I ) C I . 

or condition (iii) let {q^ \ ...,qi.'^) be a sub-run of S it q^ \ qn'^ G 

{(p), q^ \. . . ,qll ((/)), and (/) ^ (gi ^). en (/) ^ 

(j) (gi must old. b iousl , t ere must be states g^ ^ S p(g*- n {(p) and 
qV G p{qV) n (</>) sue t at (p{q^ ^ </>(gL^). Hence, e must require 

g^ ^ ^ qrn for at least one pair of t ese states. urt ermore, t ere must be at 
least one sub-run (g^ \ ..., g™^) it q^\...,q[J_ ^ {(p)', ot er ise t ere 

ould be at least t o state transitions from (p {q^ to </> (gi ^), cf. ig. 6(c). 
is propert can be ensured b requiring {(f) C (p) = {gl ^ G Q \ 

3q^ ^ G Q .q^ ^ p q^ ^}. oget er e a e 

r rtica c p siti ). t Si = {Qi, Ii,^i) i= ,2,3 

thr st t tr siti s st s s ch th t S (p-r fi s S f r rti f cti 
(f : Q ^ Q . t p C Q X Q r ti ith th f i g r rti s 

\) <p = (po p is rti f cti 

ii) I C (p) p{I)CI 

iii) ((()) C (p). 

i ) r r s -r (g^ \ . . . , gi ith q^ \qn'^ G {<p) th r r st t s 

g*- ^ e p(g*' ^) n {(p) qL^ G p{qk ^) n {(p) s ch th t q^ ^ ^ qL^ . 



h S (p -r fi s S f r f cti <f : Q ^ Q . 
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(a) ( ) 4>'(q ) = <P'(gn ) 




p 



9 




( ) ( ) <p'(.q ) = 0 '( 9 „ ) 




p 



9 ► » 9 „ 

( ) r ( ) 

i . 6. ertical decomposition 



e sa t at 5 p-si t s S ifpCQ xQ under t e conditions of t eorem 3. 
p-simulation alio s for optimi ations t at reorder e ecution. 

rk 4- ondition (i ) considers all sub-runs beginning and ending it sta- 
tes and is more general t an argued abo e. Ho e er, e er sue sub-run can 
be decomposed into sub-runs t at do not contain intermediate states in t e do- 
main of 4> . If 4> {q^ ^ (j) (qn^) t en condition (i) implies t at t ere are states 

q^ ^ e p{q^ n {(j)) and qL^ G H {(j)) sue t at g*- ^ ^ qL^ . 

ig. 6(a) and (b) illustrate condition (i ) for t e case q^ ^ and g*- ^ = g^^ 

respecti el . 

apping t e data of a ig -le el language program to bits and b tes is 
a data-refinement. en using s e c ange signatures and implement t e 
algebras b ot er algebras, i en a partial inject! e mapping (/> : lg(Z',<Pj 

lg(I7,^i ) t en an ^ = (if , , r s ) is a t -r /i t 

of ^ , r s) A : -refines A and for eac transition rule 

{lp , t s ) t ere is e actl one transition rule {(p, t s) sue t at g \= 
implies (j){q ) ^ tp. 

ssume t e operational semantics a programming language is defi- 
ned b an . ssume t e state of a program in a gi en programming language 
contains data objects allocated in an en ironment (t e procedure stack) and 
on a eap. compiler for must map t ese objects to t e concepts of t e 



s usual, 



denotes t e transitive closure of a binar relation 
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target mac ine, i.e. to b te adressable memor . esides t e gi en operational 
semantics ^ of , gi en b an , e need a second operational semantics 
A for using t e concepts of t e target mac ine. ^ is a data-refinement of A. 
ut gi en t e limited memor of t e target mac ine A contains bounds be ond 
ic it ill refuse to allocate additional objects. 

efinement functions 4> are not required to be total. e e ample e ibits 
t e reason: t e stack and t e eap of a ig -le el programming language are 
unlimited, ereas t e memor of t e target mac ine is limited. Hence, a run 
of A ma end in an e ceptional state qe ere no more data can be stored, 
b iousl , qe ^ (</>). 

.2 r ra s as tat ra siti st s p siti s 

using ori ontal compositionalit state transition s stems for statements and 
e pressions are combined for obtaining t e for sequential or conditional 
e ecution of statements, for loops, etc. e ie t e composed STSs and its 
components as grap s and describe t e composition as a grap building process. 

e building blocks are state transition s stems as in ig. 7 it initial and final 
state (sets) I and T. asic STSs are dra n b o als instead of rectangles. 



I 




i . 7. asic omponents for omposition 



or t o STSs S ,S an edge S ^ S as in ig. (a) means sequential 
e ecution of S and S . It requires t at t e postcondition T of S implies t e 
precondition / of 5 , i.e. eac final state of S is an initial state of S . S could 
also a e se eral final states it different postconditions to ic e ma attac 
different successors; t en 5 acts as a selector; b arri ing at a certain final state 
it selects amongst its successors. In t is case, e annotate t e corresponding 
edge it t e set of final states. In order to a oid ne non-determinism, t e sets 
associated it t e out-edges of an STS must be pair ise-disjoint. urt ermore, 
an STS can onl be entered at an initial state and left at a final state, inall , 
t e initial states of a composed STS must be defined. is is modeled b t e 
special erte J: an initial state of a component 5 is initial in t e composed STS 
iff t ere is an edge 

en a directed labeled grap G = (V,E) it = {5 , . . . , 5^ U {/} it 
initial node I (precondition) is a c siti of t e k STSs S = {Q , I 
),. . . ,Sk = (QkAkj^k) if eac edge (Si,Sj) is associated it a subset Fij of 
final states Fi of Si, respect! el , and t e folio ing conditions are satisfied: 

i) ere e ists at least one inde i and an edge {I, Si). ( ere is a component 
Si to begin it .) 
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ii) Pi,j P Fi n Ij. { or e er edge (Si,Sj), eac state of Fij is final in Si and 
initial in Sj.) 

iii) Fij n Fi^k = 0 for e er j ^ k. { ac final state of Si unambigousl 
determines its successor.) 

i ) common state g S Qi n Qj of t o components Si , Sj eit er belongs to 
Jfj j n Fj^i, or t ere is a S^ sue t at g G H Fj^^. (If t o components a e 
common states t en eit er t ere is an edge bet een t e t o components 
and t e state is in t e set associated it t e edge, or t e a e a common 
successor Sk and t e state is in t e sets associated it bot edges (Si,Sk) 
and (Sj,Sk))- 

et Sj . ,Sji be t e successors of / in G. e STS Sq = {Q U • • • U 
Qk,Ij U---U^fc)ist e STS scri . or con enience, 

e assume Fij = 0 if t ere is no edge (Si,Sj). 

ondition (iii) ensures t at no ne non-determinism is introduced b com- 
position, condition (i ) forbids undesired “jumps” out of a STS. 

If t e STSs are abstractions from s t en t e conditions (ii)-(i ) about 
t e state sets Fij translate into formulae about pre- and postconditions of s: 

ii’) )= u U U and U h eac edge 

(»4i, »dj). 

iii’) or e er component Ai it successors Ah,Aj, t e set U is 
inconsistent. 

i ’) ore er pair and e er formula (/? sue t at |= and ^ 

(fi eit er |= ip, \= or Ai and Aj a e a common successor Ah 

sue t at h ‘P and |= p- 

rk . state g of t e STS Sq described b t e composition G is final iff 
it is a final state of some component Si and t ere is no out-edge (Si,Sj) it 
g G Fij. e ma make t is propert e plicit b adding a ne special erte T, 
an edge {Si, T) and associate it g t e set Fi^T of t ose final states of Si ic 
are final in Sg- 



2. e STS of t e sequential composition t ts ■, t ts is defined b 

t e sequential composition of t e STS of t ts and t ts , cf. ig. (a), 
conditional statement i c t t ts s t ts is defined as t e sequential 
composition of t e STS for c , a single state transition if, and t e disjoint 
union of t e STSs for t ts and t ts , cf. ig. (b). loop i c 
t ts is defined as in ig. (c) b a c die grap consisting of t e STS for c , 
a single state transition hi , and t e STS for t t. 

b iousl , t is e ample onl defines t e possible control-flo of a program 
ie ed as sequences of possible state transitions, ut o e. g. t e ile node 

decides amongst its possible successors is et unspecified. it s t is detail 

can be added: 
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*1 tats r 



(a) tats ; tats 





(b) if CO d t tats 



n tats 



n tats r~ 



tats 



(c) i CO d d tats 



i . . STS representing control-flo 



3. ig. 9 s o s t e signature of s for a ile-language. e signa- 
ture contains sorts representing t e sort of tasks (or instructions) belon- 

ging to arious instruction classes, asks are represented b constant s mbols, 
i.e. nullar functions of t e algebraic signature 17, for eac instruction occurring 
in a program, imilarl , ariables are represented b a constant for eac occur- 
ring ariable. ig. s o s state transition rules for instruction classes. ese 
are used for t e basic STSs defined in ig. . or e ample, t e o al erte if 
represents an it t e transition rule for I and = { = if j\ for a 

,...,/c}. e function is a partial function. last task is final. e 
conditions (i), (ii), (i ) require t at eac in t e composition as different 

tasks, et ^ ,<?i , r s) be a non-basic used in t e compo- 
sition. en, <l>i = { = t sk y • • • = t skk\ ere t sk ,...,< skk 

are a set of tasks, some of ic are initial in successor s. <Pi and a 
a e t e same form, e. g. specif a disjunction of equations = t ski 

t at are initial, n edge {A, A ) also associated it a disjunction of equations 
= t sk ere eac of t ese equations occur in a as ell as in . 



ta s 

uring compilation a program is represented b an abstract s nta tree. e 
elements of sue trees carr semantic meaning and t e meaning of a program is 
composed from t e meaning of t ese elements. e abstract s nta “normal! es” 
t e concrete s nta in se eral respects: it no longer cares about representational 
details sue as use of ke ords or rules for operator precedence etc. ese details 
are encoded eit er in node names of subtrees or in t e structure of an e pression 
tree. Iso selection rules sue as 

statement ::= assignment I procedure call I loop I ... 

ic onl enumerate t e possible alternati es, are a oided: ene er a state- 

ment is alio ed t en one of t e alternati es is directl inserted in t e abstract 
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rt II, I , < 

I ,I < II 



< 



f cti . . . , —2, — 

X ,x , ,x : 
if ,..., if : I 

hil , . . . , hil : 
assig , . . . , assig 
d s , . . . , d s : 
lus ,... , lus : 

CO st ,..., CO st : 



, 2 ,...: / 

ere x ,x ,.. . ,x are all identifiers of a program 
/ 

/ 




/ t e memor 

t e task pointer 

/ t e value of an e pression 
/ 

variable of a designator 
/ value of a constant e pression 

t e ne t task 
alternative decision 
destination of an assignment 
source of an assignment 
condition for a decision 
left and rig t operand 



i . . ignature of s for a ile- anguage 



s nta tree."^ us, t e tree onl contains lea es and so-called c siti r - 
cti s composing a language element from smaller units (subtrees) . er tree 
element as a semantic meaning ic influences program e ecution. 

emantic anal sis is concerned it e aluating conte t conditions i. e. name 
anal sis, t pe c ecking/inference, and operator identification, and c ecking t eir 
consistenc ; it orks on s mbolic information and does not care about ted na- 
mic interpretation of a program: et er an operation named “integer addition” 

reall means an addition (not a subtraction) is of no concern. en t e question 
ic algebraic la s are applicable is uninteresting during t is p ase. raditio- 
nall semantic anal sis is described b an attribute grammar, based on abstract 
s nta . 

f course, given t e non-ort ogonal design of man languages t e selection ma 
depend on conte t conditions ic mnst be c ecked during semantic anal sis. 
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i . 


ransition Rules for a 


ile- anguage 



nl en e enter t e mapping p ase of a compiler e get concerned it 
t e actual (d namic) semantics of a program: e need to kno t e control and 

data flo and certain information about ted namic interpretation of opera- 
tions. e required static information can again be represented b attribute 
grammars. e d namic semantics must be correctl transformed b t e map- 
ping p ase; its role is t at of in ariants ic must be preser ed. 

is description can be represented for eac production b a ariant of Kut- 
ter’s t g s, [35]. outages ere de eloped for grap icall describing t e 
d namic semantics of source languages b elp of s. e use it ere for 
specif ing semantic anal sis and t e mapping p ase of a compiler. e main 
differences to Kutter’s monateges are t at our conte t-free grammar defines 
abstract, not concrete s nta , and t e static semantics is described b attribute 
grammars (not b s). 

t g in t is sense is a tuple consisting of a composition production 
p : X ::= X ■ ■ ■ X/^, a control- and data-flo grap Gp, attribution rules R, 
conditions Cp, and a set of transition rules r Sp. e grap Gp consists of 
four classes of ertices and edges. t sk rt is grap icall represented b 
an ellipse. ere is at most one task erte representing t e start of e ecution 
of t e montage; t is erte must be labeled it X . t r i rtic s are 
labeled it one of t e nonterminals of t e H oi p. I and T represent i iti 
and t r i ertices, respecti el . 

c tr -fl edge is dra n das ed, a t -fl edge is dra n solid. e 

origin of named edges must be task ertices. e origin of a data-flo edge must 
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be a task erte . ac out-edge of a data-flo edge must be named. e out- 
edges of a square erte Xi are labeled it integers. If Xi defines n terminal 
sets, t en Xi as n out-edges. e destination of named control- flo edges must 
be eit er task ertices or t e set of initial tasks as e actl one element, nalo- 
gousl , t e destination of named data-flo edges must be eit er task ertices or 
t e set of terminal task as e actl one element. 

rk 6. is definition does not e elude non-determinism. It requires t at 
eac desired non-determinism is icit specified. 

ig. s o s t e montage for t e i -loop. e decision et er t e loop 

ends or is continued rests on t e alue of t e loop condition. is dependence 

is indicated b a data-flo edge. ere ma be additional a s for e iting t e 
loop if (as in ) t e bod contains continue or brealk-statements. 




i . . outage for ile- oops 



ere are t o ie s on t e grap Gp\ irst it defines a set of attributes and 
attribution rules representing t e task structure of programs, oget er it t e 
nodes and edges of t e grap e a e an A for t e source language. 

dditionall e a e a parametri ed A for t e target language en 

names and data-flo edges are remo ed from Gp. e mapping is implicitl spe- 
cified as a conditional grap re rite s stem. montage t us definea a mapping 
from abstract s nta to control- and data-flo grap s. 

e operational semantics of a program can be composed from t e monta- 
ges representing t e in ol ed language elements according to t e structure of 
t e s nta tree, ac square erte represents a different subtree of t e ; 
conditions (ii)-(i ) of ection .2 are satisfied, since eac alue of specifies 
t e currentl e ecuted 
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.4 ri ta c p siti 

e program transformations used b compilers transform t e control- and data- 
flo grap s. e alread discussed t at t e obser able be a iour O of t e pro- 
gram must be preser ed, i.e. t e assigned to t e transformed program 

must be a refinement of O. e program transformations can be described b a 
finite set of local grap re rite rules. Hori ontal compositionalit implies t at 
t e correctness of sue rules can be pro en locall . ince O is gi en b a ( ierar- 
c ical) composition G of STSs, it must be ensured t at composing refinements 
b t e corresponding composition (i.e. using t e same grap and replacing eac 
component b a refinement) is a refinement of O. 

composed STS ( ) can be refined b refining its components, et 

G = {V, E) be a composition of 5 , . . . , Sk, S , . . . , 5^ be 0 , . . . , (/(^-refinements 
of 5 ,Sk, respecti el , and (/> = (/> U • • • U (j)k- urt ermore, let G = {V ,E ) 
be t e grap obtained from G b replacing S , ,Skh 5 , . . . , 5^, respecti el , 
and associating t e sets E^ j = (j)~ (Eij) it edges (5^,5^-). e no in estigate 
t e requirements for G being a composition of 5 , . . . , 5^ and t e STS obtained 
b G being a refinement of G. 

or G being a composition of 5 , . . . , 5^, t e condition ection .2(i) is satis- 
fied ereas conditions (ii)~(i ) could be iolated. Ho e er, t is can be cured 
b “renaming” states. e lea e t e formal proof of t is to t e reader. en 
using montages, sue a renaming is not necessar since t e task pointer 
unambigousl defines t e current 

etS,S bet e described G, G respecti el . (j) must be a partial function 
for S being a (/(-refinement of S. is is onl t e case iff (j>i{q) = (j)j{q) for 
q G {4>i) n {4’j)- It is not ard to see t at conditions (i) and (ii) 

for S being a (/(-refinement of S are satisfied. It remains to pro e condition 
(iii). b iousl , eac sub-run of a component is also a sub-run of S . Hence, 
t e onl sub-runs t at ma iolate condition (iii) are sub-runs {q , . . . , (?„) it 
9 , G (</*), and (7 ,..., (?„_ ^ {(j)) ere q and strictl belong 

to t e states of t o different STSs. Ho e er, t ere are no sue sub-runs because 

C C ((/(j) C ((/() for alH,j. 

Hence, e obtain t e 

r 4. tG 5 ,...,5fe 5 G =(H,if ) (/( fi 

s . If G is c siti fS,...,S^ (fi{q) = <Pj{q) f r i,j 

* 7^ J 9 G Qj n Qj th th STS S t i fr G is (f-r fi t f th 
STS S t i fr G. 

gain, it is not ard to see t at t ese conditions can be ensured b simpl 
renaming t e states. In t e case of montages, onl (j)i{q) = 4>j{q) for g G Qi n Qj 
as to be pro en. If no data are refined, t e condition is al as true. Hence, t e 
compositional refinement of montages is eas to pro e ereas data-refinements 
(e.g. memor mapping) require additional ork. 
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. rr ct pi ati s 

compilation from one language to anot er consists of t o tasks: data mapping 
and operation mapping. In t is subsection, e demonstrate t e use of t e abo e 
t eor for s o ing t e correctness of compilations. e use t e s ^ and 
A as gi en b montages for implicitl describing data and operation map- 
ping. ur goal is to independent! pro e t e correctness of data mappings and 
conditional grap re rite rules. 

onsider first t e data mapping. it , e decomposed s in a 

“be a ioral” part and in a data part. data mapping onl maps t e data part 
and keeps t e be a ioural part. In particular, it assigns a ne semantics (b me- 
ans of an A ) to t e source language using t e concepts of t e data part 
of t e target language (e.g. implementing a runtime stack using an address-based 
memor ). ince t e be a ioural part is kept, t e correctness of t is mapping can 
be s o n b pro ing t at ^ - -refines A . In order to complete t e cor- 

rectness proof, e a e to s o according to eorem 3 t at ^ p-simulates 

A . 

eoremd can be used to pro e t at ^ p-simulates A . bser e t at 
s are s and e no use t e be a ioural part of an , i.e. its ie as 
a . eorem 4 alio s to independent! pro e t e correctness of an grap 
re rite rule. e relation p relates t e initial and final states of t e left- and 
side and t e rig t- and side of t e grap re rite rule, respect! el . 

If a grap re rite rule as an application condition, t e correctness proof can 
assume t at t is condition is satisfied. e compiler erifies t e satisfaction of 
t is condition using program c ecking (in general it c ecks a stronger condition 
because t e application condition ma be state dependent). 



ltd rk 

orrectness of compilers as first considered in [36] but focused on t e compi- 
lation of arit metic e pressions. ereafter most people e plored t e potential 
of denotational semantics, e.g. [ 5,4 ,4 ,44,45,4 ,56], or of refinement calculi, 
e.g. [6,4, , 6, 7,33,3 ,43], structural operational semantics, e.g. [ ] and alge- 
braic models, e.g. [5 ]. t er approac es use abstract state mac ines, e.g. [6, 
4, ]. ost of t ese projects did not compile into mac ine language. Instead, 
t e designed abstract mac ines, and compiled for interpreters of t ese abstract 
mac ines. 

ese semantics-based approac es lead to monolit ic compilers, cf. [24,53]. 
e do neit er alio for reuse of traditional compiler tec nolog nor do t e 
prepare for program reorgani ations, as necessar for global optimi ation on 
t e mac ine code le el. .g., e pressions are usuall refined into postfi form 
and t en interpreted on a stack mac ine. e efficienc of t e generated code 
is b magnitudes orse t an t at of ot er compilers and t us does not meet 
practical requirements, cf. [ ,44]. cept [3 ], e en projects ic reall gene- 

rated mac ine language, e. g. [6,4,42,43], and ro os, [33], c ose t e transputer. 
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i.e., a stack mac ine, as t eir target. [3 ] discusses compilation of a stack-based 
intermediate language it into an assembl language of t e register-based pro- 
cessor 9 . e correctness proofs of t e transformations as ell as t eir 

implementation (in 2 logic) are c ecked mec anicall using t e 2 inter- 
preter. In contrast to our ork, t e compilation is a macro-e pansion and t e 
source programs must be terminating regularl . 

e idea of program c ecking as originall applied to algorit ms in [ ] and 
continued in [2,3,57]. [26] discusses its application to constructing correct s - 
stems. [46,47] appl t e idea to translating s nc ronous languages ( I , 
ustre, tatec arts) to -programs; o e er, t eir assumptions alio onl for 
(react! e) source programs consisting of a single loop; t e loop bod must im- 
plement a function from inputs to outputs; onl t e loop bod is c ecked. 

an languages a e been described so far using abstract state mac ines, 
e. g. [3 ], -I— I- [55], rolog/ [ ], ccam/ ransputer [6,4], a a[ ], a a 

irtual ac ine [9, ,5 ], [5], 2 [34], - Ip a [25], X [7]. 

cl si s 

e a e introduced a notion of compiler erification ic remains feasible also 
in t e presence of t e una oidable limitations of realistic ar are and soft are. 

is notion toget er it t e idea of program c ecking as laid t e ground for a 
compiler arc itecture er similar to traditional arc itectures. e t us can also 
generate efficient target code comparable to t e code qualit of ot er compilers. 

e ert eless constructing erif ing compilers ill remain a tedious task for t e 
foreseeable future. 

In t is ork state transition s stems and abstract state mac ines a e s o n 
t eir usefulness as a unif ing descriptional tool for specif ing ted namic se- 
mantics of t e programs being compiled on all le els of internal representation 
it in t e compiler. s a e not onl lead to easil understood and natural 
specifications. e main ad antage is t at e do not a e to c ange orses in 
t e middle of t e ri er and can appl t e same specification seamlessl to all 
transformation steps. e e pressi e po er of s is onl partiall used in t is 
ork: e number of cases in t e proofs of man t eorems can be considerabl 

reduced b ad ering to a common discipline of t e features being used. 
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tr ct. h bstract tat achi s ( ) thodolog is a th- 

odolog for for all sp cif i g co puti g s st s. us th 
thodolog to gi th d a ic s a tics of th fu ctio al progra i g 
la guag ta dard . gi a op ratio al s a tics for ta dard 

b a s of a i t rpr t r for (appropriat 1 pr -proc ss d) ta - 

dard progra s; th ff ct of a ta dard i structio ca b s 

i t r s of th corr spo di g actio s p rfor d b th 

r c 

bstract tat ac i s ( ) t odolog [ ] is a t odolog for 

for all sp cif i g CO p ti g s st s (soft ar , ard ar , or i d). irst 

i trod c d b r ic [9] ( d r t ir for r a , “ ol i g alg bras”) t 

t odolog is at aticall pr cis , t g ral o g to b applicabl 
to a id ari t of probl do ai s [3,7, 5]. sis [ 2] ass rts t at 

a CO p ti g s st ca b d scrib d at its at ral 1 1 of abstractio b a 

appropriat 

ta dard ( ) is a f ctio al progra i g la g ag . It as b d - 

scrib d as a “saf , od lar, strict, f ctio al, pol orp ic progra i g la - 

g ag it CO pil -ti t p c cki g a d t p i f r c , garbag coll ctio , 

c ptio a dli g, i tabl data t p s a d pdatabl r f r c s, abstract 
data t p s, a d para trie od 1 s.” [ ] 

I t is pap r, d scrib t d a ic s a tics of si g t 

t odolog , si g il r [ 9] as o r d fi itio of . d scrib t d a- 
ic s a tics of b d scribi g a ic acts as a it rpr t r, 

c ti g a (appropriat 1 pr -proc ss d) progra . is pro id s a op - 
ratio al s a tics for ; t ff ct of a gi i str ctio ca b s i 

t r s of t corr spo di g actio s p rfor d b t 

s parat co c r s i t is ork a d r strict o r att tio to t d a ic 

s a tics of , ass i g t at all static s a tic a al sis a d c cki g as 

b p rfor d i a pr -proc ssi g stag . also folio il r [ 9] i r stric- 
ti g o r att tio to t so-call d “bar ” la g ag of : a s bs t of 

fro ic all ot r la g ag co str cts i ca b d ri d. ( or a pi , 

arbitrar t pi s of t for {t ,t , ,t ) a,r tra slat d i to r cords of t for 

ur c a . ( ds.) pp. — 

pr g r- r ag r d rg 
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{ = t ,2 = t , . . . ,n = t }.) otic t at t is do s ot i i i t scop of 
t ork; si g appropriat s bstit tio s, a progra ca b tra slat d 

i to t bar la g ag a d t s gi s a tics b o r d scriptio s. 

or br it , o it disc ssio of co str cts d ali g it str ct r 

r strictio s, f ctor applicatio s, la r d patt r s, d claratio s, a d al bi - 
di gs; af 11 disc ssio oft s co str cts a b fo di [6]. 

ass fa iliarit it s q tial s i t folio i g s ctio s; s 
[ ] for a i trod ctio to s q tial s. 



f r 



p pr ss s 



o d scrib a ic acts as a i t pr t r for progra s. i c 

ar sol 1 CO c r d it t d a ic s a tics of rat r t a t 

static s a tics, ass t at all static a al sis as air ad b p rfor d 

0 t progra to b it rpr t d. i p t progra ill t s b r pr s t d 

1 a abstract for (to b d scrib d). op rat s b alki g t ro g 

t is for of t progra , p rfor i g t r q ir d calc latio sadcagsto 
t s st stat . 

I t is s ctio , foe s o t al atio of arbitrar pr ssio s 

ritt i t “bar ” la g ag . I s cc di g s ctio s pa d o r foe s 
to i cl d ot r f at r s of 



i rs s, c i s, r i i s 

progra is a coll ctio of t r s; co s q tl , d fi a i rs 
of r s ic is s d to r pr s t a gi progra . i t r-r latio s ip 
b t ario s t r s i a progra ar d scrib d b ario s ar f ctio s, 
ost of ic ar d scrib d as t ar d d. or a pi , s t ar 
f ctio r s ^ r s to i dicat t ttr iasq coftrs 

big al at d li arl . i ilarl , s t ar f ctio or r s —>■ 

r s to i dicat t s all st closi g t r of a gi t r . or a pi , (t 

t r r pr s ti g) t pr ssio “ + 2” is t par t of (t t r r pr s ti g) 
t pr ssio “ 

liar f ctio r r r is s d to i dicat t c rr ttr 

big al at d (si ilar to t rol of a i str ctio co t r). r r acts 

as t foe s of att tio for t ; t at ac st p a i s ario s 

i for atio r gardi g r r ad akst appropriat c a g s to t stat . 

o id tif partic lar t r s, d fi a i rs of z s a d a ar 

f ctio i r s ^ zssdto lab 1 i di id al t r s. b rs 

of z s ill b sp dfi d as proc d. or a pi , a t r t r pr s ti g 
af ctio applicatio satisfi s i (t) = f i , r/ z is a 

liar f ctio i dicati g a iq 1 t of z s. ( or i t iti a 
for z s ig t b “ s”; c oos ot to s t at a to a oid co f sio 

it ’s t si t p s st .) 
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f dr rm. i d = o sta 1 1 

r rm. al = r rm. o st al 

I 

d f 



. . aluati g CO sta ts. 

r s It of al ati g a pr ssio is a al ; co s q tl , 

d fi a i rs of aZ s CO prisi g t s t of possibl r s Its of pr ssio 
al atio . s a ar f ctio al r s ^ al s tor cord t r s Its 

of al ati g a partic lar t r d ri g t co rs of a co p tatio ; t 

pdat s al t ro g o 1 1 co p tatio as al s propagat fro c ild t r s 
to par t t r s. 

s s sp dal al s call d c ptio s to i dicat t pr s c of rrors 
d ri g a CO p tatio ; t ist c of a c ptio alt rs t or al flo of 
CO trol. s a i rs z s (a s bs t of aZ s) to r pr s t t s t 

of t s sp dal al s; a liar f ctio r i i s i dicat s 

t c rr t c ptio ( al ) ic is propagati g t ro g t s st . If o 

c ptio is propagati g, r i as t sp cial al /. 

s t o si pi abbr iatio si orris. abbr iat s t t r 

“ r i = /”;iti dicat s t at t co p tatio i proc ss is proc - 

di g or all {i. ., o c ptio is pr s t). I abbr iat s t r 1 

“ r r = r r . it is s d t c rr t t r as b pro- 

c ss d a d att tio s o Id b pass dtot ttrit sq coftrs. 
s abbr iatio s ar i trod c d to i pro t r adabilit of t fort co- 
i g r 1 s; additio all , ill Iat r r -d fi t K I abbr iatio 

as t d for a or co plicat d ”k p-goi g” co a d b co s c ssar . 

s pr ssi s 

al ati g a CO sta t r q ir s al ost o ork; t r s It of al ati g a co - 

sta t is t corr spo di g co sta t al . s a static f ctio s al 

r s ^ al s to ap a CO sta t pr ssio to its corr spo di g al . 
corr spo di g r 1 , s o i ig. , is straig tfor ard. 

.3 1 i rs 

I , all pr ssio s ar al at d it r sp ct to a ir : a fi it 

coll ctio of a bi di gs. al ati g a id tifi r i r s Its i t cor- 

r spo di g al stor d i t c rr t iro t. s, to gi t r 1 s for 
id tifi r al atio , d to d fi o iro ts ar r pr s t d i or 

s i rs s of s (for iro ts) ad ri s (for tri s i 

a iro t) to r pr s t a gi iro t. iro t co tai s a 
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f a d r rm. i d = id tifi r t 

r rm. al = ook ( r rm.Id tifi r r ). al tr 
I 

d f 



. . Id tifi rs. 

fi it b r of tri s, i d d b id tifi r a s; s a i rs of / i- 
/i rs to r pr s 1 1 s a s. bi ar f ctio k s x I ifi, rs ^ 

ri s T t r s t iro t tr corr spo di g to t sp cifi d id ti- 
fi r i t sp cifi d iro t. liar f ctio r s i dicat s 

t iro t c rr tl b i g s d for al ati g pr ssio s. 

iro t tri s ar ot si pi al s; ac tr also as a additio al 
dat i dicati g t r t al corr spo ds to a al ariabl , a al co - 
str ctor, or a c ptio co str ctor. s a i rs of aZ ags to i dicat 

t s ki ds of data i a iro t, alo g it ar (proj ctio ) f ctio s 
al r ri s ^ al s a, d ag r ri s ^ al ags to 

tract t d d i for atio fro a gi iro t tr . 

Ha i g d scrib d o iro ts ork i , t r 1 for al ati g a 
id tifi r si pi acc ss s t id tifi r (gi b a si pi f ctio I ifi, r 
r s ^ I ifi, rs) a d tracts t corr spo di g al fro t c rr t 

iro t. r 1 is s o i ig. 2. 

.4 c r s 

I , a r cord is r pr s t d as a s q c of lab 1- pr ssio pairs; t r s It 
of al ati gar cord is a fi it appi g of t lab Is i t s q c to t 

corr spo di g al s (as al at d i t c rr t iro t). 

s, d a i rs of a s corr spo di g to t s fi it pairs of lab Is 

ad pr ssio s. ( ot t at a s is ot t sa i rs as s; iro ts 

carr additio al i for atio ic r cord aps do ot.) s f ctio s r a- 
a I ifi rs X al s ^ osad a a s x I ifi rs x 

al s — > a s to CO str ct t s aps. 

cord pr ssio sarrprs tdior asa lab Id pr ssio optio- 
all folio d b a r cord pr ssio (folio i g t at ral r c rsi d fi itio 
of a s q c ). r r 1 s for al ati g r cords (s o i ig. 3) o 

t ro g t is s q c ofr cord pr ssio s, co str cti gt corr spo di g ap. 
( rlblo ssf ctio s r rs^rsad r r s 

r s to i dicat t t o co po ts of a r cord pr ssio ; i plicitl 
i trod c CO po t f ctio s s c as t s i f t r r 1 s it o t co t.) 

f r c r s 

I , r f r c s ar poi t rs to storag locatio s ai tai d i s st 

or . f r c s ar s d to stor a d r tri al so tsid of t s al 
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f a d r rm. i d = r ord r t 

f r rm. r. al = d ft r rm = r rm 

f r rm. t ord = d ft 

r rm. al = r at a ( r rm. a I r rm. 

r rm. r. al = d f 

I 

f r rm. t ord. al = d ft 

r rm = r rm. t ord 

r rm. al = dd o a ( r rm. t ord. al 

r rm. a I r rm. r. al ) 
r rm. r. al = d f r rm. t ord. al = d f 

I 

d f 
d f 



r 

r. al ) 



. 3. cords. 



f dr rm. i d = r f r t 

f r rm. rg m t. al = d ft 



r rm = r rm. rg m t 



t 

d 

r 



d f 
d f 



d ddr ss s t a 
r rm. al = a tor (a) = 

t d 

rm. rg m t. al = d f 
I 



r rm. rg m t. al 



f r c t r s. 



iro tad pr ssio al atio c a is ; t t s br ak t “p r ” 
f ctio al progra i g paradig . 

al ati g r f r c t r oft for “ref t” ca s s a or locatio 

to b allocat dadrtrdast al oft pr ssio . dditio all , t 

or locatio is i itiali d to t al of t arg t pr ssio t, as 
al at d i t c rr t iro t. 

s, da i rs of r ss s to r pr s t r f r c s, a d a 

ar f ctio r r ss s ^ aZ s to r pr s 1 1 c rr t or stor . 

alatigarfr ctr t srqirs allocati g a or addr ss a d 

i itiali i g t stor appropriat 1 . r s Iti g r 1 is s o i ig- 4. 








2 
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f a d r rm. i d = assig t 

f r rm. rg m t. al = d ft r rm = r rm. rg m t 

tor ( a ook ( r rm. rg m t. al “ )) = 

a ook ( r rm. rg m t. al “ )) 
r rm. al = it r rm. rg m t. al = d f 

I 

d f 
d f 



ssig t pr ssio s. 



.6 ssi 

ssig ttrscagt als stor d i s st or . tacticall , 

a assig t app ars i t “bar ” la g ag as t applicatio of t sp cial 
f ctio to a si gl al : a r cord i ic t lab 1 “ ” is bo d to t 

or addr sstob cagdadt lab 1 “2” is bo d to t al . 

call t at t al of a r cord is a ap. I ord r to tract t c s- 
sar al s fro t arg t r cord, s a bi ar f ctio a k 
a s X I ifi rs ^ al s. r 1 (s o i ig- 5) tracts t c ssar 
i for atio a d p rfor s t assig t. 

11 pr ssio si al at to a al ; o r, assig t pr ssio s 

ar al at d for t ir sid - ff cts rat rtaa al t igtrtr. 
s s t sp cial al “ it” to r pr s 1 1 al of a assig t pr ssio ; 
s a corr spo di g disti g is d 1 t i al s. 



.7 isi r p 



c p i s 



“raise” pr ssio tak s a arg t ic al at s to a c ptio al . 
al ati g s c a pr ssio ca s s t arg t to b al at d; t r s Iti g 
al is t s t to propagat t ro g t s st (i o r s, t is is p rfor d 
b assig i g t al to r * )• 

c ptio s propagat b o i g fro c ild t r to par t t r r p at dl 

til a hcindle pr ssio is fo d. r 1 s s o i ig. 6 s o o c ptio s 

ar rais dad propagat d. ot t at t pr s c of a propagati g c ptio i 

r i falsifi s t t r , t s aki g ost ot r r 1 s i applicabl 

i t is sit atio . 



3 f r 



c pp c s 



I t is s ctio , foe sot al atio of 
applicatio , ic i ol al ati g pr ssio s i 
c rr t iro t. also disc ss ot r 
i ol c a gi g t c rr t al atio iro 



pr ssio si ol i g f ctio 
iro ts ot r t a t 
pr ssio s os s a tics 
t. 
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f a d r rm. 


i d = rais t 






f r rm. rg m t. al = 


d ft r rm = r rm. 


rg m t 


r tio 


= r rm. 


rg m t. al 




r rm. rg 


m t. al = 


- d f r rm = r rm. ar 


t 


d f 








d f 








f r tio ^ 


d f d r 


rm. i d ^ ha dl t 




r rm. al = 


= d f r 


rm = r rm. ar t 




d f 










. 6. aisi g a 


d propagati g c ptio s. 




f dr 


rm. i d = f 


tio los r t 




r rm. al 


= ak 


tio ( r rm. at h rm r 


) 


I 








d f 









. 7. u ctio closur s. 



3. 



f ctio clos r is a 



iro 

of 
ak 
a h 



t c rr tl i s is bo d 



ate r 1 (i bri f, a patt r - ate i g r 1 for al ati g 
t f ctio ) alo g it t iro t to b s d i al ati g t at ate 
r 1 . ctio clos r s ar cr at d b al ati g stat ts of t for “fn 

a /i” , r a his & ate r 1 . 

to t sp cifi d ate r 1 for lat r s . 

CO s q tl ak s of a i rs 

t is i for atio , it co str ctio f ctio 

i I s r s a, d proj ctio f ctio s 
rsad i i 9 * I s r s ^ 

ctio clos r pr ssio s is s o i ig. 7. 



I s r s r pr s ti g 
r s X s ^ 
i I s r s ^ 
s. r 1 for al ati g f - 



i 

i 

* 9 



3. c i pp ic i s: r i i ri s p ci s s 

ral for s of f ctio applicatio ar pr s t i . I all of t s cas s, a 

f ctio applicatio co sists oftotr s;atr corr spo di g to t f ctio 
to b appli d, a d a t r corr spo di g to t arg t for t at f ctio . 
( 11 f ctio s i t “bar ” la g ag ar ar ; f ctio s of ig r arit ar 
si lat d b r cords.) r 1 s o i ig. p rfor s t is al atio i all 
cas s. 

sp dal cas occ rs t f ctio pr ssio is ot a f ctio at 

all, b t a al co str ctor {i. a id tifi r). I t is cas , t al of t 
pr ssio is a pair co sisti g of t co str ctor a d t arg t al . 
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f dr rm. i d = f tio t 

f r rm. ft r. al = d f t r rm = r rm. ft r 

f r rm. ight r. al = d ft r rm = r rm. ight r 

d f 
d f 



aluati g argu ts for fu ctio applicatio . 



f dr rm. i d = f tio d 

t 

f r rm. ft r. al .Id tifi r t 

r rm. al = air( r rm. ft 

r rm. ft r. al = d f r 

I 

d f 
d f 



r rm. ight r. al 7 ^ d f 



r. al r rm. ight r. al ) 

rm. ight r. al = d f 



o structor applicatio . 



s t f ctio air al s x al s ^ al s to co str ct s c pairs, 

r 1 for CO str ctor applicatio is s o i ig. 9. 

s CO d sp cial cas occ rs t f ctio to b appli d is a b ilt-i 

op rator. s a i rs ri i i s to r pr s t s c pri iti op ratio s, 

as 11 as a f ctio I ri i i s x al s ^ aZ s to r pr s t t 
d fi itio of s c pri iti op rators. s, o r r 1 si pi s s t I 

f ctio to g rat t appropriat al . 

ppl i g a pri iti op rator a also g rat a c ptio ; t s, if t 
al rtrdb Zisa c ptio , d to i itiat c ptio a dli g 

(as i t cas of a raise pr ssio ). s, t r 1 s o i ig. c cks 
t r s Iti g al b for passi g it alo g. 

3.3 c i pp ic i c i s r s 

Hr a dl t cas of appl i g a s r-d fi d f ctio clos r to a ar- 
g t t r . s s abo , f ctio clos r s i cl d a ate pr ssio a d 
a c rr t iro t. al ati g s c a f ctio applicatio i ol s al a- 
ti g t sp dfi d ate pr ssio agai st t al of t f ctio arg t; 

o r, s c al atio occ rs ot i t c rr t iro t, b t i t i- 
ro t sp cifi d i t f ctio clos r . ( d f r o r disc ssio of al ati g 
ate t r s agai st al s.) 

f CO rs , al ati g t is ate t r i t iro t co Id i ol 

al ati g ot r f ctio applicatio s, r q iri g al ati g ot r ate t r s 

i ot r iro ts, a d so o . It b co s cl ar t at da stack-lik 
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f dr rm. i d = f tio d r rm. ight r. al ^ d f 

t 

f r rm. ft r. al . rimiti t 

t s It = I ( r rm. ft r. al r rm. ight r. al ) 

f s It. tio t r tio = s It 

r rm. al = s It 
I 

d f 
d t 

r rm. ft r. al = d f r rm. ight r. al = d f 

d f 
d f 



. . ri iti op rator applicatio . 

str ct r to s i al ati g t r s i iro ts diff r t fro t c rr t 
iro t, il still ai tai i g t c rr t iro t for f t r s . 

1 ts ic d to b stor d i a acti atio r cord po o r stack 

ar t folio i g: t i t r diat pr ssio al s air ad g rat d a d sto- 
r d i t f ctio al , t c rr t foe s of att tio stor d i r r , 

t c rr t al atio iro t stor di r ,adt errt cp- 

tio propagati g stor d i r z . at r t a cr ati g a plicit stack 
str ct r (ad folio i g t pr c d t i [ 3]), s t i rs a rals of 
at ral b rs a d r d fi t f ctio sad abo to a t folio i g 
sig at r s: 

al r s X a rals ^ al s r r a rals r s 

r i a rals i s r a rals s 

tra rical arg t to ac of t s f ctio s is s d to i dicat 
t 1 loft stack at ic t gi al is stor d. or a pi , r r (3) 

i dicat s t t r c rr tl b i g al at d at 1 1 3 of t stack, 

disti g is d f ctio a k la rals i dicat s t c rr t positio o 
t stack; i itiall , a k I = . s, r r ( a k 1) i dicat s t 
t r c rr tl b i g al at d. 

is r q ir s c a g s to all t r 1 s pr io si pr s t d. I ord r to si - 

plif o r pr s tatio (a d folio i g t pr c d t i [4]), abbr iat r- 

r ( a k 1) h r r , al ( a k 1) h al (), a, d so o . 1 
a f ctio r aft r it a arg t b lo gi g to a rals, s ppr ss t at 
arg t if its al is a k 1; plicitl sp cif t arg t if it is a 
t r ot r t a a k Z or if clarit oldbbttrsr db plicit sp cifi- 
catio . is s t of abbr iatio s alio s s to ig or t stack i sit atio s r 

its pr s c is s a ticall i t r sti g, a d also alio s s to s t pr io s 
r 1 s it o t odificatio (ot r t a , of co rs , t abo abbr iatio s). 
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(t rm 




mat h al) = 




arg 


t( ta k 


1 


-h ) — t 


rm 




r 


rm( ta k 




1 + ) - 


= t rm 




r 


( ta k 




1 -h ) — 






r 


at h al( 


ta 


k 1 -h 


) = mat h al 




ta k 


1 = 


ta 


k 1 -h 








(t rm 




) - 


(t rm 


df) 



. . abbr iatio . 


f d 


r rm. 


i d = f 


tio 




d r rm. ight r. al 


/ df 


d 


r rm. 


ft r. 


al . 


tio 


los r t 




f t r 


al — 


d ft 












( 


r rm. 


ft 


r. al 


. at h i di g 








r rm. 


ft 


r. al 


i di g 








r rm. 


ight 


r. al 


) 




r 


rm. al 


= t 


r al 


t 


r al = d f 




r 


rm. ft 


r. al 


= 


df 


r rm. ight r. al = 


df 




I 












d f 














d f 















. u ctio applicatio to fu ctio closur s. 



i trod c so f ctio s s d i t proc ss of aki g a co t t-s itc 

d ali g it t call stack, arg a rals r s \ dicat s t top-1 1 

t r ic is to b al at d at t is 1 1 of t stack. r a h al a rals 

al s i dicat s t al ic is to b ate d agai st arg as part of 
t is al atio proc ss. r al aZ s is s d to stor t r t r al 
a gi t r al atio o t stack co pi t s. 
oft ak s of t abbr iatio , s o i ig. 

id a is t at (t e v) pts to ate t r t agai st al w si g 

iro t e. abbr iatio orks b i plicitl cr ati g t t tr o 
t call stack a d tra sf rri g co trol to t r t. t at t r co pi t s its 

al atio , r al ill a t d sir d r s It a d o fc Z ill b r s t 
to t prop r al . alt r at for ej is s d i sit atio s 

r a ate al is ot r q ir d. 

i all , ca pr s t t r 1 for p rfor i g a f ctio applicatio to a 
f ctio clos r . r 1 s o i ig. 2 si pi i ok s t sp dfi d f ctio 
clos r , att pti g to ate t sp cifi d arg t agai st t f ctio clos r 
t r . 
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/ 


f r rm = arg t t 


r rm 


= t r rm 


r rm — r rm. 


t 




d f 


.3. d fi itio of th 


I 


abbr iatio . 



f r rm = t r rm t 



f r tio = d f t t r al = al ( arg t) 

t r al = r tio r tio ( ta k al - ) = r tio 

d f 

arg t. al = d f r tio = d f 
ta k I = ta k I - 

d f 



. . tur i g fro a fu ctio call. 

3.4 rifr ci srs 

r 1 s pr s t d i t last s ctio pro id o 1 alf of at is d d for 

a dli g calls to f ctio clos r s. r 1 s s o o to i ok t al atio 

of a ot r pr ssio i a ot r iro t; t fail to s o at to do 
al atio of t at pr ssio as b co pi t d. H r co pi t t pict r . 
b gi b r -d fi i g t abbr iatio I . call t at K 

I orks b oig rrtot tpr ssio to b al at d i 
t progra . is b a ior s o Id b s sp d d r r as r t r d to 

arg ; at t is poi t, t al stor d at arg soldbrtr dtot call r. 

first alf of t is proc ss is s o it d fi itio of I 

i ig. 3; it tra sf rs co trol i sc sit atio s to a disti g is d 1 t 
r r r s, r p rfor t act al r t r . 

o s o at app s co trol r ac s r r . H r 

si pi a to k p t pro is s ad arli r: plac t prop r r t r al 
i to r al a d r - stablis t pr io s al atio co t t. ot t at 
a to d al it sit atio si ic a c ptio is propagati g as 11; i s c 

sit atio s, r t r t c ptio i bot r al a, d r i . 
r 1 is s o i ig. 4. 

3. pr ssi s 

a dl pr ssio is s d to caps lat c ptio proc ssi g o r a gi 
t r . arg t t r is al at d; if o c ptio occ rs il al ati g 

t arg t, t a dl pr ssio do s ot i g a d co trol co ti so as 
s al. r 1 for t is cas is s o i ig. 5; otic t at t tr t of t g ard 
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f ad 


r 


rm. 


i d = ha 


dl t 




f r 


rm. 


r. 


al = 


d ft 


r rm — r rm. r 


r 


rm. al 


= r 


rm. 


r. al r rm. r. al 



/ 

d f 
d f 



or al proc ssi g of ha dl pr ssio s. 



f r tio d f d r rm. i d = ha dl t 

f t r al = d ft 

( r rm. at h r r tio ) 

f t r al = ail r t r al . tio t 
r rm. al = d f r rm = r rm. ar t 

r tio = d f 



d f 

t r 



r rm. al = t r al 
I 

= df 



d f 



. 6. c ptio proc ssi g of ha dl pr ssio s. 



K i dicat s t at o c ptio s a occ rr d il proc ssi g t arg t 

t r . 

ssociat d it ac a dl pr ssio is a ate r 1 (si ilar to t at s d 

i f ctio d fi itio s) . If a propagati g c ptio r ac s a a dl pr ssio , 

att pt to ate t propagati g c ptio ( ic is, aft r all, a al ) 

agai st t associat d ate r 1 , as if ad a f ctio call to t ate 
r 1 . If t ate rlrtrsaal or a c ptio , alio t at al 
or c ptio to CO ti propagati g. sp cial al ail al s a b 
r t r d if t ate r 1 fails to g rat a r s It; i sc sit atio s, alio 
t old c ptio to CO ti propagati g. s o r co t t-s itc c a is 
i trod c d i t last s ctio to p rfor t is al atio . corr spo di g r 1 
is s o i ig. 6. 

3.6 pr ssi s 

t pr ssio s CO tai a s t of bi di gs ( ic g rat a iro t) a d 
a pr ssio ic s o Id b al at d it r sp ct to t os bi di gs a d t 
c rr t iro t. os bi di gs s o Id o 1 b add d to t c rr t i- 
ro t to al at t targ t pr ssio ; aft r ards, t c rr t iro t 

s o Id r rt its pr io s al . 
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f a d r rm. i d = I 1 1 

f r rm. ft r. al = d ft r rm = r rm. ft 

f t r al = d f t 

( r rm. ight r 

om i ( ^ f ft r. al )) 



r rm. al 
r rm. ft 
I 

d f 



= t r al t r al 
r. al = d f 



df 



d f 



r 



. 7 . t pr ssio s. 



ca s t sa CO t t-s itc 

id s a tics for It pr ssio s. first 

ic g rat s a iro t. t 

c rr t iro t, si g a f ctio 
p rfor t CO bi atio appropriat 1 . 

s d as t basis for a co t t-s itc to 
bi di gs i plicitl disapp ar (as d 
for al ati git pr ssio s is s o i 



c a is i trod c d pr io si to pro- 
al at t s t of attac d bi di gs, 
CO bi t at iro t it t 

i s X s — > s to 

CO bi d iro t is t 
al at t targ t pr ssio ; t s, t 
sir d) t call r t r s. r 1 

ig. 7. 



4 f r c s 

I t is s ctio , foe sot al atio of ate r 1 s. ate 

r 1 CO sists of a patt r a d a associat d pr ssio . ate r 1 s ar al a s 

al at d it r sp ct to a targ t al . s cc ssf 1 att pt to ate a al 

agai st a patt r r s Its i a iro t, r pr s ti g t bi di gs r q ir d 

to ate t al agai st t at patt r ; i sc sit atio s, t associat d 

pr ssio is t al at d it r sp ct to t c rr t iro tag t d 
b t bi di gs, a d its al r t r d. s cc ssf 1 att pt to ate 

a al agai st a patt r r s Its i t sp cial al ail al s. 



4 . 



IS s 



ate s s all occ ri a list. al ati g a list of ate s is r lati 1 straig t- 
for ard; o al at s ac ate i t list s q tiall til a o - ail al 
is g rat d, ic is r t r d as t al of t list pr ssio . o Id all 
ate s i t list r t r ail, t list r t r s ail as 11. 

r 1 for al ati g ate lists is s o i ig. . ot t at asso- 
ciat it r ate list its co po t r 1 (fo d it a h I r s 
rs) adt r aidroft list ic folio s t at r 1 (fo d it 
a h is r s ^ r s). 



r s 
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f dr rm. i d = mat h ist t 

f r rm. at h I . al = d ft r rm = r rm. at h I 

f r rm. at h I . al 7^ ailt 

r rm. al = r rm. at h I . al 

r rm. at h I . al = d f 
I 

f r rm. at h ist = d ft 
r rm. al = ail r rm. at h I . al = d f 

I 

f r rm. at h ist. al = d ft r rm = r rm. at h ist 

r rm. al = r rm. at h ist. al 

r rm. at h ist. al = d f r rm. at h I . al = d f 

I 

d f 
d f 



atch lists. 



4. c s 

s a tics for al ati g ate r 1 s r plai d i t i trod ctio to 

t is s ctio ; t corr spo di g r 1 is s o i ig- 9 . 

4.3 f r s 

Hr b gi to pr s t r 1 s for a dli g ario s t p s of patt r s. call t at 
r a h al is s d to old t al agai st ic t c rr t patt r is to 
b ate d; t r s It of a patt r ate is it r a iro t or t sp cial 
al ail. 

si pi st patt r s to ate ar t d rscor patt r a d t llipsis 
patt r . it r patt r ate s agai st a al a d cr at s o bi di gs; 

t pt iro t is r t r d. s t disti g is d 1 t 

s to r pr s t t iro t co tai i g o bi di gs. corr spo di g 

si pi r 1 is s o i ig. 2 . 



4.4 s r s 

ca ate al s agai st sp cial patt r s r pr s ti g co sta ts ( .g., 

ric lit rals). ate s cc ds if a d o 1 if t co sta t patt r corr - 

spo ds to t c rr t ate al ; o bi di gs ar g rat d. si g t f ctio 
s al r s ^ al s to i dicat t tr al of t is co sta t t r , 
t r 1 s o i ig. 2 p rfor s t is op ratio . 
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f dr rm. i d = mat h It 

f r rm. att r . al = d ft r rm = r rm. att r 

f r rm. att r . al = ail t 

r rm. al = ail r rm. att r . al = d f 

I 

f t r al = d ft 

( r rm. r om i ( f att r . al )) 

r rm. al = t r al t r al = d f 

r rm. att r . al = d f 
I 

d f 
d f 



. . atch rul s. 

f d ( r rm. i d = “_ r r rm. i d = “. . . ^ t 

r rm. al = m t 
I 

d f 



fault patt r s. 



4. i p I i rs 

ate i g a al agai st a id tifi r i t c rr t iro t s cc ds i 
t r cas s: 





id 


tifi r is c rr tl 




bo d. 


r s Iti g al is a si gl - tr 




iro 


t, bi di g t 


id 


tifi r to t 


al . 


2. 


id 


tifi r is c rr tl 


bo 


d to a fr 


ariabl . r s Iti g al is a 



si gl - tr iro t, bi di g t id tifi r to t ariabl . 

3. id tifi r is air ad bo d to t d sir d al . o additio al bi di gs 
ar g rat d. 



f dr rm. 

f r at h al = 
r rm. al 

d f 

I 

d f 



d = s ial o sta 1 1 
r rm. o st al t 
= ail 



r rm. al 



m t 



o sta t patt r s. 
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f dr rm. i d = id tifi r t 

t id = r rm.Id tifi r 

f ook ( r id) = d f 
r ook ( r id), ag tr = al aria I t 

r rm. al = r at (id air( r at h al al aria I )) 

f ook ( r id), al tr = r at h al t 
r rm. al = m t 
r rm. al = ail 
d f 

I 

d t 



. Id tifi r patt r s. 



s a f ctio r a I ifi rs x al s ^ s to cr at a 

si gl - tr iro t it t sp dfi d bi di g. corr spo di g r 1 is 
so i ig. 22. 

4.6 c r s: r s 

call t at t al of a r cord i is a fi it a / al appi g. o 

ate a r cord al agai st a s q c of lab 1 d patt r s, si pi d to 
s r t at t lab 1 d s q c agr s it t r cord. at is, if lab 1 (. is 
associat d it pr ssio e, t c rr t ate al s o Id associat ^ it a 

al V s c t at s cc ssf 11 (r c rsi 1 ) ate s agai st e. 

o s q tl , o r CO t t-s itc r 1 s CO i ad agai , as d to 

r p at dl c ck t at ac lab 1 d pr ssio s cc ssf 11 ate s agai st t 

corr spo di g al si t ate r cord. r r 1 , s o i ig. 23, si pi 

proc ds alo g t list of lab 1 d patt r s, co bi i g t r s Iti g iro ts 
as d d. 

4.7 s r c r s 

o str ct d patt r s ar patt r s co sisti g of a co str ctor a d a arg t. 

CO str ct d patt r s cc ssf 11 ate s agai st a al ic is its If a 



CO str ct d al it t 


sa 


id tifi rad os al 


(r c rsi 


1 ) 


ate s 


agai 


st t 


patt r arg 


t. 


r 1 for CO str ct d patt r s is s 


0 


i ig. 


24. 
















4. 




r f r 


c s 












or 


r f r c t r 


s cc 


ssf 11 ate s agai st a 


al if t 


al 


is a 


addr 


ss, a 


d t al stor d at t at addr ss i or 


(r c rsi 


1 ) 


ate s 


agai 


st t 


arg t of t 


r f 


r c t r . r 1 for 


or r f 


r c 


t r s 


is gi 


i 


ig. 25. 
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d r rm. i d = la Id att r t 
t r al = d ft 

( r rm. att r r 

a ook ( r at h al r rm. a 1)) 

f t r al = ail t 

r rm. al = ail 
I 

f r rm. or i di gs = d ft 

r rm. al = t r al 

I 

f r rm. or i di gs. al = d ft 

r rm. att r . al = t r al 

r rm = r rm. or i di gs 

f r rm. or i di gs. al = ail t 

r rm. al = om i ( ^ 

r 

d f 

r rm. att r . al = d f 

r rm. or i di gs. al = d f 
I 

d f 
d f 
d f 



r rm. al = ail 
rm. att r . al 
rm. or i di gs. al ) 




. 3. cord atchi g. 



SC ss 

s r first propos d as a t odolog for sp cif i g t s a tics of pro- 

gra i g la g ag s [ ] . s a b appli d to a id ari t of progra - 

i g la g ag s: i p rati la g ag s s c as / ++ [ 3,2 ], logic progra - 

i g la g ag s s c as rolog [4] a d its aria ts, obj ct-ori t d la g ag s 

s c as a a [5,2 ] a d b ro [ 7], a d ard ar la g ag s s c as H [2]. 

o t b st of o r k o 1 dg , t is cas st d i ta dard is t first appli- 
catio of s to pro id t s a tics of a f ctio al progra i g la g ag . 
official s a tics of ta dard is gi b il r [ 9] , si g a a io- 
atic s a tics call d at ral a tics. r 1 s gi i il r, il d fi- 
iti , r 1 a il o a io atic otatio a d proof r 1 s ic ca b diffic It 

to r ad. it t pr s c of a official s a tics, t r app ar to b f ot r 

tr at ts of si g ot r s a tic t c iq s. ret pap r b att [22] 

a o c s t s of ctio a tics to gi s a tics to ; a ot r ork 
b Harp rad to [4] tra slat s i to a t p d aria t of t la bda 

calc 1 s to ic a op ratio al s a tics is gi . 11 of t s ot r orks 

gi bot static add a ic s a tics for 






22 
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d r rm. i 


d = 


0 sir 


t d 


att 


r t 




t id = r rm.Id 


tifi 


r 










f ook (id r 


)■ 


al 


tr 




0 d ^ al 


0 sir tor 


d ook ( id 


r 


). al 




tr . 


0 d ^ 


tio 0 str tor t 


r rm. al 


= 


ail 










I 














f ook (id 


r 


). al 




tr 


. irst 7^ 


r at h al. irst t 


r rm. al 


= 


ail 










I 














f t r al 


— 


dft 










( 


r 


rm. rg 


m 


t 


r 


r at h al. o d) 


r rm. al 


— 


t r 


al 




t r al 


= df 



I 

d f 
d t 
d f 



o struct d patt r atch s. 



f dr 


rm. i d = m mor 


f r t 


f t r al 


= dft 
( r rm. rg m 


t r tor ( r at h al)) 


r rm. 


al = t r al 

I 


t r al = d f 


d f 






d f 







f r c atch s. 



i t r sti g f at r of o r s a tics for is o r s of t 

aero, s d to al at a t r i a iro t diff ri g fro 
t c rr t iro t. aero app ars i ro g 1 o -t ird 

oft r 1 s gi abo ( ot co ti g r 1 s o itt d for br it ), s gg sti g t at 
t r - iro t al atio pla s a i porta t rol i t d a ic s a tics 

of . is is at ral; is, aft r all, a f ctio al progra i g la g ag , 
ic dra s its roots fro t la bda calc Is. i c f ctio applicatio {i. 
t r al atio i a diff r t iro t) is at t art of t la bda calc 1 s, 
it s s at ral t at t is f at r s o Id ibit its If so pro i tl i o r 
s a tics. 

o Id arg t at t d a ic s a tics gi abo ar as pr cis 

a d acc rat as co tio al s a tic tr at ts s c as t official d fi itio 
[ 9] . r 1 s a d pla atio s abo ar so at lo g r t a i a a io atic 
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approac , as t otatio 1 ds its If to at ral la g ag otatio s rat r 

t a a io atic proof r 1 s. Ho r, o a fi d t r adabilit oft s r 1 s is 
s bsta tiall b tt r. c pla atio s ca pro id a b tt r basis for plai i g 

ad d rsta di g t la g ag it a i i al a o t of otatio al o r ad. 

ral possibl t sio s of t is ork ar b i g co t plat d. cl ar 
gap i t d scriptio s abo is a tr at t of t static s a tics of , 

i cl di g t t si t p s st . official d fi itio of [ 9] sp ds 
t si ti d fi i g t static asp cts of t la g ag , ic ca also b 
CO f si g at ti s. c tl o tag s [ 6] a b s d to d scrib bot static 
add a ic s a tics of progra i g la g ag s si g s; co sid r 

t di g t is ork si g o tag s to pro id static s a tics for as 11. 

t di g t is ork to t o tag s fra ork as a ot r i porta t b - 

fit: c tabilit . t t is ti , t d scriptio gi r as ot b 

t st d b a c tabl tools. - tool [ ] alio s o to c t o - 

tag d scriptio s dir ctl ; p ct t at doi g so ill gi s f rt r id c 
of t corr ct ss of t s d scriptio s. 

It r ati 1 , s a b s d for ario s proofs of corr ct ss, s c as 

CO pilatio t c iq s; co sid r sp cif i g a co pilatio t c iq for 

to so i t r diat la g ag ad pro i g its corr ct ss. 

f r c s 

lauff, . utt r, a d . i ra to io. or al sp cts of a d lop t 

iro ts for o tag s. I . Hi k, ditor, d I t r atio al orksho 

o th h or a d ra ti of Ig rai ifi atio s, orkshops i o puti g, 

st rda , 997. pri g r. 

2. . org r, . lass r, a d . iill r. h a tics of ha ioral H ’93 

scriptio s. I - ’4- ro a sig tomatio o f r ith 

- H ’4, pag s 5 -5 5, os la itos, alifor ia, 994. I r ss. 

3. . org rad . Huggi s. bstract tat achi s 9 - 99 : o t d 

ibliograph . ll ti of , 64: 5- 27, bruar 99 . ( updat d rsio 

is a ailabl fro [ 5].). 

4. . org r a d . os ig. ath atical fi itio of ull rolog. I i 

of om t r rogrammi g, olu 24, pag s 249-2 6. orth-Holla d, 994. 

5. . org rad . chult . rogra r ri dl odular fi itio of th 

a tics of a a. I . Is- oss, ditor, ormal ta a d ma ti s of a a, 



pri g r, 99 . 



6. . at r a d 


. Huggi s. 


a ic a 


tics for 


ta dard 


ch ical 


port 


- 999-2, tt ri g i 


rsit , 999. 










7. . lass r. 


bstract tat achi 


s urop 


Ho 


ag . 


http: / / 


.u i- 


pad rbor .d /cs/as /. 












. Y. ur ich. 


co sid ri g uri g’s 


h sis: 0 


ard 


or 


alistic 


a tics 


of rogra s. 


ch ical port 


-3 - 4, 




part 


t, i 


rsit of 


ichiga , 9 


4. 












9. Y. ur ich. 


ogic a d th hall g 


of o put 


r ci 


c . I 


org r. 


, ditor. 


rr t r 


ds i h or ti al om 


t r i , 


pag s 


-57. 


o put r 


ci c 



r ss, 9 
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. Y. ur ich. ol i g Ig bras. utorial I troductio . U ti of , 

43:264-2 4, 99 . ( pri t d i . o b rg a d . alo aa, ds., rr t 

r ds i h or ti al om t r i , orld ci tific, 993, 266-292.). 

. Y. ur ich. ol i g Ig bras 993: ipari uid . I . org r, ditor, ifi- 

atio a d alidatio thods, pag s 9-36. ford i rsit r ss, 995. 

2. Y. ur ich. qu tial bstract tat achi s aptur qu tial Igorith s. 

ra sa tio s o om tatio al ogi , pag to app ar, 2 

3. Y. ur ich a d . Huggi s. h a tics of th rogra i g a guag . I 

org r, H. 1 i u i g, . ag r, . arti i, a d . . icht r, ditors, 

om t r i ogi , olu 7 2 of , pag s 274-3 9. pri g r, 993. 

4. ob rt Harp rad hris to . t p -th or tic i t rpr tatio of ta dard 

I ordo lotki , oli tirli g, a d ads oft , ditors, o i Ur st- 

s hrifft. I r ss, 99 . 

5. . Huggi s. bstract tat achi s Ho ag . 

http:// . cs.u ich. du/gas /. 

6. . . utt rad . i ra to io. o tag s: p cificatio s of alistic rogra - 

i g a guag s. o r al of i rsal om t r i , 3(5):4 6-442, 997. 



utt rad 


i ra to io. h or 


al p 


cificatio 


of b ro . 0 r al of 


i rsal om t r 


i , 3(5):443-5 3, 


997. 






uc t ch olog . 


ta dard of 


rs 


Ho 


ag . http://c .b 11- 


labs. CO /c /cs/ hat/s 1 j/. 








il r, . oft , 


. Harp r, a d 


ac u 


. h 


fi itio of ta dard 


( is d). I 


r ss, 997. 








allac . h 


a tics of th -I— 1- 


rogra 


i g a 


guag .1 .org r. 



ditor, ifi atio a d alidatio thods, pag s 3-64. ford i rsit 
r ss, 995. 

2 . . allac . h a tics of th a a rogra i g a guag : r li i ar r- 

sio . ch ical port - -355-97, pt., i rsit of ichiga , 

c b r 997. 

22. . att. h tatic a d a ic a tics of ta dard .1 ro di gs of th 

0 d I t r atio al orksho o tio ma ti s ( ’ /, u b r -99-3 i 

1 ot s ri s, pag s 55- 72. part t of o put r ci c , i rsit 
of arhus, a 999. 
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dfi t daics a tics of tat ac i s 

ic it grat stat c arts it t obj ct od 1. us of 

s alio s us (a) to rigorousl od 1 t t dri r to com- 

l tio sc , i cludi g t s qu tial cutio of tr / it actio s 

(alo g t structur of stat sti g) a d t co curr t cutio of 

i t r al acti iti s; (b) to for ali t obj ct i t ractio , b co bi i g 
CO trol a d data flo f atur si a s a 1 ss a ; a d (c) to pro id a 
pr cis but rt 1 ss pro abl ost g ral co putatio al a i g 
to t t r s of ato ic a d durati actio s/acti iti s. borro 

so f atur s fro t rigorous d scriptio of cti it iagra s 

b si [7]. 

r c 

e i ed odeli g a guage [2, ,2 ] is a sta dardi ed otatio based o a 
set of diagra s to describe t e structure a d t e be a ior of a soft are s ste . 
I [ ] it is stated t at “ is ore t a just a grap ical la guage. at er, 
be i d e er part of its grap ical otatio t ere is a speci catio t at pro ides a 
te tual state e t of t e s ta ads o tz s of t at buildi g bloc ” alt oug 

t e official docu e t [4] for t e se a tics o 1 gi es a u a biguous 

te tual de itio of t e s ta for otatio s a d lea es t e be a ioral 

CO te t of arious co structs largel ope . e ecessit to de elop t e 

as a precise (i.e. ell de ed) odeli g la guage is idel felt [ ,9, 9] 

a d t e { r is ) group as bee created to ac ie e t is goal [ ]. 

I t is paper e a al e o e of t e pri cipal diagra t pes ic are used 

i for t e descriptio of d a ical s ste be a ior, a el statec art or 

state diagra s, a d pro ide a rigorous de itio of t eir d a ics. a papers 

0 t e se a tics of statec arts [ 6,2 , , 7] e ist i t e literature, i particular 

1 relatio to t eir i pie e tatio i [ ] a d H Y [ 4] . 

e ert eless, t e debate is still o goi go at e actl s ould be co sidered as 

t e aut oritati e de itio of tate ac i es ic i tegrate statec arts 

it t e object odel. e ajor difficult ere co cer ste ec a is s 
for object i teractio [ 4, 9]. 

ur c a . ( ds.): , , pp. — 4 , 

(c) pr g r- r ag r d rg 




224 . org r, . a arra, a d . iccob 

s [ , 2] pro ide a tec ique to sol e sue sped catio proble s a d to 
clarif t e rele a t issues. I t is paper, e propose a odel t at (a) 

rigorousl de es t e e e t a dli g sc e e i a a ic a es all 

its “se a tic ariatio poi ts” e plicit, i cludi g t e e e t deferri g a d t e 
e e t CO pletio ec a is ; (b) e capsulates t e ru to co pletio step i 
t si pie rules ( r siti cti ad r t p ti ts) 

ere t e peculiarities relati e to e tr /e it or tra sitio actio sad seque - 
tial, CO curre t or istor states are dealt it i a odular a ; (c) i tegrates 

s oot 1 t e state ac i e co trol structure it t e data flo ; (d) clari es 

arious difficulties co cer i g t e sc eduli g sc e e for i ter al o goi g (reall 
CO curre t) acti ities; (e) describes all t e state ac i e features t at 

brea t e t read-of-co trol; (f) pro ides a precise co putatio al co te t to t e 

ter s of ato ic a d durati e actio s/acti ities, it out loosi g t e i te - 

ded ge eralit oft ese co cepts (see foot ote ), a d alio so e to clarif so e 

dar but se a ticall rele a t poi ts i t e docu e ts o state ac i es. 

e do ot ta e a positio o ic co cepts or u dersta di gs of 

t e are reaso able or desirable. roug our de itio s e o e er build a 

fra e or for rigorous descriptio a d a al sis of logicall co siste t i terpre- 

tatio s of t e i tuitio s ic u derl co cepts. I fact, e ploiti g t e 

abstract ature of s it is eas to adapt our de itio s to c a gi g requi- 
re e ts. e ope t at t is ill co tribute to t eir ratio al reco structio , for 

t e sta dardi atio , a d to t e co pariso of differe t i pie e tatio s. ur 

odel ca also ser e as refere ce odel for i pie e ti g tools for code ge e- 
ratio , si ulatio a d eri catio of odels. is or ca be ie ed as 

a CO ti uatio of [7] ere a rigorous se a tics of acti it diagra s as 

bee pro ided. 

e paper is orga i ed as folio s. ectio 2 i troduces t e basic co cepts 
u derl i g statec art diagra sad s. e odel for t e be- 

a ioral ea i g of t ese diagra s is de ed i sectio 3. I sectio 4, t e 

se a tical equi ale ce bet ee so e state ac i e buildi g bloc s is discussed. 

I sectio e co pare our odel it related or a d s o t at it satis es 
t e eta- odel require e ts for state ac i es. 

SC c p s 

I t is sectio e s etc t e basic co cepts u derl i g state ac i es a d 
s a d re ie t e otatio . 

t t c rt i r s 

tatec art diagra s are o e of t e e diagra site for odeli g t e 
d a ic aspects of s ste s. tatec arts ere i e ted b a id Harel [ ,6], 

t e se a tics a d t e otatio of statec arts are substa tiall t ose of 
Harel’s statec arts it adaptatio s to t e object-orie ted co te t [3]. 




od li g t 



a ics of 



tat ac i s 



225 



tatec art diagra s focus o t e e e t-ordered be a ior of a object, a fea- 
ture ic is speciall useful i odeli g reacti e s ste s. statec art diagra 

sosteeet triggered flo of co trol due to tra sitio s ic lead fro state 
to state, i.e. it describes t e possible seque ces of states a d actio s t roug 
ic a odel ele e t ca go duri g its lifeti e as a result of reacti g to di- 
screte e e ts. state reflects a situatio i t e life of a object duri g ic t is 

object satis es so e co ditio , perfor s so e actio , or aits for so e e e t. 

ccordi g to t e eta- odel [4] , states ca belo g to o e of t e folio i g 

categories: si I stat s, sit stat s (seque tial, co curre t, sub ac i e), 

fi al, a, d s stat s (i itial, istor , stub, ju ctio , s c ). 

ra sitio s are ie ed i as relatio s ips bet ee t o states i dicati g 

t at a object i t e rst state ill e ter t e seco d state a d perfor sped c 
actio s e a speci ed e e t occurs pro ided t at certai co ditio s are satis- 

ed [3]. statec arts i dude i t r al, t r al a d I ti tra sitio s. 

e se a tics of e e t processi g i state ac i es is based o t e 

r t I ti (rtc) assu ptio : e e ts are processed oeatati ead e 

t e ac i e is i a stable co guratio , i.e. a e e e t is processed o 1 e 

all t e CO seque ces of t e pre ious e e t a e bee e austed. erefore, a 
e e t is e er processed e t e state ac i e is i so e i ter ediate, u stable 
situatio . 

e ts a be speci ed b a state as bei g possibl deferred. e are 

actuall deferred if, e occurri g, t e do ot trigger a tra sitio . is 

ill last u til a state is reac ed ere t e are o ore deferred or ere t e 

trigger a tra sitio . 



. str ct t t c i s 

s are tra sitio s ste s, t eir states are ulti-sorted rst-order structures, 
i.e. sets it relatio s a d fu ctio s, ere for tec ical co e ie ce relatio s 
are co sidered as c aracteristic boolea - alued fu ctio s. e tra sitio relatio 
is speci ed b rules describi g t e odi catio of t e fu ctio s fro o e state 
to t e e t, a el i t e for of guarded updates (“rules”) 

if iti t at s 

ere Updates is a set of fu ctio updates f{t , . . . ,t ) ■= t, ic are si ul- 
ta eousl e ecuted e Condition is true. 

e use Iti-ag t s [ 2, ] to odel t e co curre t substates a d t e 
i ter al acti ities ic a appear i a statec art diagra . ulti- 

age t is gi e b a set of (seque tial) age ts, eac e ecuti g a progra 

CO sisti g of rules. eir distributed ru s are de ed i [2]. 

i ce s offer t e ost ge eral otio of state, a el structures of ar- 
bitrar data a d operatio s ic ca be tailored to a desired le el of abstrac- 
tio , t is alio s us o t e o e side to reflect i a si pie a d co ere t ate 

i tegratio of co trol a d data structures, result! g fro appi g statec arts to 

t e object odel. I fact, ac i e tra sitio s are described b rules 

ere t e actio s beco e updates of data (fu ctio alues for gi e argu e ts). 




226 . org r, . a arra, a d . iccob 

t e ot er side also t e i teractio bet ee objects is aturall reflected b 
t e otio of state of ulti-age t (distributed) s. 

or t e CO structs of seque tiali atio , iteratio a d sub ac i e of seque - 
tial s e use t e de itio s ic a e bee gi e i [ ]. e pro ide t e 
CO cept of “stable” state eeded to guara tee t at t e e e t triggered seque - 
tial e it fro a d e tr i to ested diagra s is ot i terrupted b a too earl 
occurre ce of a e t e e t. 



1 r 



c r r s 



I t is sectio e odel t e e e t go er ed r 
diagra s. e rst i troduce t e sig ature of 
tee ecutio rules, tatec art diagra s are 
tra sitio s, belo gi g to t e abstract sets 



t I ti st i statec art 

statec arts a d t e de e 
ade up of (co trol) states a d 
ad II. 



3. tr t t 

e set is partitio ed i to si pie, co posite ( it substructure), a d 

pseudo states, o posite states are partitio ed i to seque tial a d co curre t 
o es. seudostates are partitio ed i to i itial a d istor states. 

ip st t s ( ) are of t e for stat { tr it ( ) / r) , ere t e pa- 

ra eters tr / it de ote actio s t at a e to be perfor ed as soo as t e 
state is e tered/e ited, ( ) de otes t ei ter al o goi g acti it A t at ust 

be e ecuted as lo g as t e state is acti e, a d / r is a set of e e ts t at are 

ca didate to be retai ed i t at state. 

qu ti c p sit st t s (2) are of t e for stat ( tr it ( ) f r i- 
it fi al hist r ) , ere tr j it., ()ad /raetesae eaigas 
for si pie states, i it de otes t e i itial state of t e sub ac i e state associated 
to t is CO posite state, fi al de otes its al state, a d hist r its associated 
istor state (see belo for details o i itial, al a d istor states), eque tial 
CO posite states co tai o e or ore substates, e acti o e of ic is required 
to be acti e e t e co posite state is acti e. 

curr t c p sit st t s (3) are of t e for stat ( tr it (A) / r 

rr t ), ere tr j if ( ) a d / r are as abo e, a d r- 
r t ields t e set of t e co curre t (seque tial) substates co posi g t e 

state. e a co curre t state is acti e, all of its subco po e ts are acti e. 

is otio of CO trol stat , d ri i g fro t fi it stat ac i otio of “i t r- 

al” stat , is o 1 a ti fractio of t o rail s st stat ic is r fl ct d b t 

otio of stat as structur , i. . do ai s (of to b i sta tiat d obj cts) it 
op ratio s a d r latio s. 

i pi a d co posit stat s a a a am , i. . a stri g d oti g u iqu 1 t 

stat . o it t a para t r i t sig atur of sue stat s as it is ot r 1 at 

for our od 1. 

ac substat is s qu tial b caus it ust clos a i itial a d a fi al stat . 
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ccordi g to [4] , a e e t t at is deferred i a co posite state is auto ati- 
call deferred i all its directl or tra siti el ested substates, or reaso s of 
si plicit , but it out loss of ge eralit , e assu e t at t e defer set of eac 
state e plicitl co tai s all t e i erited e e ts to be deferred. 

( ) (2) (3) 




iti st t s i dicate ere to start b default e tee closi g (co - 
posite seque tial) state is i o ed. ist r st t , associated to a seque tial 
CO posite state sa S, is a pseudostate t at ca be of t o t pes: shall hist r 
(3 a d hist r (3- e s alio istor state records, upo e iti g S, 

0 1 t e ost rece t acti e state directl co tai ed i S' a d restores t e recor- 
ded state e t e istor state is i o ed. e deep istor state records t e 

ost rece t acti e ierarc ical co guratio of S, a d restores t is co guratio 
e t e istor state is i o ed. o eep trac of t e co guratio , e use a 
d a ic fu ctio 

r : — 

t at is i itiali ed to t e e pt seque ce for eac state ic as e er bee 

accessed, o guara tee t e correct e teri g order, e a die r as a I 
list. I case of s alio istor state r co tai s at ost o e state. 

i st t s Q are special states ose acti atio i dicates t at t e e closi g 
state is co plete. 

e de ote h i I tat q tial tat rr t tat s tat 

i al tat tec aracteristic fu ctio s of t e correspo di g subsets of 

state ic is e closed it i a co posite state is called a s bstat 
of t at state. I particular, it is called ir t s bstat e it is ot co tai ed 

1 a ot er state; ot er ise it is referred to as a tra siti I st s bstat . 
e esti g structure of statec art diagra s is e coded b t e folio i g static 

fu ctio s: 

tat : — f\, sue t at tat (s) = t iff s is a 

direct substate of a co pou d state t. 

tat : — , sue t at tat {t, s) = tr 

iff s is direct substate of a co pou d state t. 
hai : — , 

hai (s, t) = [S' , ■ ■ ■ , S ] ere n > & 

S = s S = t Sz i = 2 . . .n tat {S - ) = S 

hai : — , 



hai (s, t) = [S , . . . , S ] ere n > & 

S = s S = t Sz i = . . .n — 



tat {S ,S ) 
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hai a d hai ield e pt seque ces o eac pair of ot ested 

states, e rite / hai (s ,.T) toi dicate t e rig tope seque ce 

Up/ DownChain{s , s') = [T , . . . ,T [, if it e ists. otice t at / h- 

ai (s,s) = []. 



3. r siti s 

e set II is partitio ed i to i ter al a d e ter al tra sitio s. 

t r tr siti s are of for tra s{s r targ t t g ar a ti ), ere 
s r /targ t represe t t e source/target states of t e tra sitio , t de otes 
t e triggeri g e e t ic a e able t e tra sitio to re, g ar is a boolea 
e pressio t at is e aluated as soo as t e e e t occurs (if it e aluates to false 

t e tra sitio does ot re), a ti is a actio t at is e ecuted at t e ti e t e 

tra sitio res. 

t r tr siti s are of t e for tra s{s r tgarati), ere 

all t e para eters a e t e sa e ea i g as for t e e ter al tra sitio s. I ter- 

al tra sitio s a e a source state but o target state because t e acti e state 

does ot c a ge e t e re, a d o e it or e tr actio s are e ecuted. e 

disti guis bet ee e ter al a d i ter al tra sitio s usi g a predicate i t r al 
o II. 

tatec art diagra s i elude also c p ti tr siti s, a el tra sitio s 
it a i plicit “co pletio e e t” i dicati g t e co pletio of t e state t e 
tra sitio lea es. e ca a die co pletio tra sitio s as special trigger tra - 
sitio s, labeled b I ti t(S'), ere S' is t e source state, a d assu e 

t at all tra sitio s i a statec art diagra are labeled it a e e t. e o 1 
tra sitio s outgoi g pseudostates are co pletio tra sitio s [2 ]. 

or eac t pe of state a d tra sitio para eter, e use a (static) fu ctio 
ara ic applied to t e related states or tra sitio s ields t e correspo di g 
para eter. or e a pie tr {stat ) ields t e e tr actio associated to stat , 
s r {tra s) t e source state of t e tra sitio tra s, etc. e ofte suppress 
para eters otatio all . 



3.3 ts 

et be t e set of age ts ic o e t roug t e statec art diagra , 

eac e ecuti g at is required for its rr tl a ti stat . state beco es 

acti e e it is e tered as result of so e tra sitio , a d beco es i acti e if it 

is e ited as result of a tra sitio . “ e deali g it co posite a d co curre t 

states, t e si pie ter curre t state ca be quite co fusi g. I a ierarc ical 
state ac i e ore t e o e state ca be acti e at o ce. If t e co trol is o a 
si pie state t at is co tai ed i a co posite state, t e all t e co posite states 
t at eit er directl or tra siti el co tai t e si pie state are also acti e” [4]. 

erefore, to ai tai at i is called t e curre t co guratio of acti e 

states, e i troduce ad a ic fu ctio 
rr tat : 



V{ 
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ose updates folio t e co trol flo of t e gi e statec art diagra . e fu - 
ctio st : — ields t e last (i er ost) state reac ed b 

a age t. 

e age ts e ecute statec art diagra s, i.e. t e all use t e sa e 

progra (or Z ). s a co seque ce, i t e for ulatio of t ese rules 

belo , e use t e -ar fu ctio If ic is i terpreted b eac age t a as a. 

e a e age t is created to perfor a co curre t subco putatio (de ed 
b o e of t e substates i a co curre t co posite state) , it is li ed to t e ar t 
age t b t e d a ic fu ctio 

ar t: f\ 

e assu e t at t is fu ctio ields / for t e ai age t o is ot part 
of a CO curre t flo . e acti e subage ts of a age t a are collected i t e 

set b g t{a) = a ar t{a) = a} 

1 1 e begi i g of t e co putatio , e require t at t ere is a u ique age t, 

positio ed o t e i itial state of t e t stat , a d ose progra co sists of 

t e rules r siti cti ad r t p ti t described 

belo . 

3.4 t i 

1 it is assu ed t at a state ac i e processes oeeetatati ead 
is es all t e co seque ces of t at e e t before process! g a ot er e e t [ , 

2 ]. “ e e t is r i e it is placed o t e e e t queue of its target. 

e e t is is at h e it is dequeued fro t e e e t queue a d deli ered to 
t e state ac i e for process! g. 1 1 is poi t, it is referred as t e rr t t. 
i all , it is s e e e t process! g is co plete. co su ed e e t is 

o lo ger a ailable for process! g” [4]. 

e t erefore assu etatoeeetis processed at a ti e. i ce t e par- 
ticular e e t e queui gad dispatc i g ec a is s are deliberate! ot furt- 
er ore sped ed i , e odel t e ere e plicitl as se a tic ariatio 

poi ts a d t erefore use a o itored predicate is at h i dicati g ic e e t 
is dequeued to be processed, ta oet, teol tra sitio s t at are eli- 
gible to re e a e e t e occurs are t e o es departi g fro a acti e state 
(i.e. ose source state belo gs to rr tat ) ose associated guard e aluates 
to true"^. is is e pressed b t e folio i g co ditio 

abl ft, e) t{t) = e Sz g ar (t) Sz s r (t) rr tat 

It is possible for ore t a o e tra sitio to be e abled b tesa eeet, 
but alio sol t ose tra sitio s to be red si ulta eousl ic occur 

i CO curre t substates [4]. I all t e ot er cases, tee abled tra sitio s are 
said to be i fli t it eac ot er. e ca disti guis t ree t pes of co flict 

situatio s: ( ) a i ter al tra sitio i a acti e state co flicts it a tra sitio 

outgo! g fro t at state, (2) t o or ore tra sitio s origi ati g fro t e sa e 

source i a acti e state are e abled b e, a d (3) t o or ore tra sitio s it 

differe t source states but belo gi g to t e sa e acti e state are e abled b t e 



If o guard is associat d to a tra sitio 



assu g ard{ ) = tr 
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occurre ce of e. I t e selectio a o g co flicti g tra sitio s is co strai ed 

0 1 for case (3) b gi i g priorit to t e i er ost e abled tra sitio . e o 

for ali e t is priorit for (3), ereas i t e cases ( ) a d (2) e reflect t e 

c oice bet ee differe t sc eduli g ec a is s as a se a tic ariatio poi t, 

a el b usi g abstract selectio fu ctio s; see ter siti cti rule 

belo . 

et abl (e) = t II abl (t, e)}bet e set of all tra si- 
tio s e abled be. e de e a equi ale ce relatio o abl (e) as folio s: 

t , t abl (e), t t iff s r {t ) = s r {t ). 

e esti g of states i duces t e total order relatio o t e quotie t set 
abl (e)/ , de ed as [t ] [t ] iff s r (t ) is a direct or a tra siti el 

ested substate of s r {t ). 

et irabl ra s(e) be t e i i u equi ale ce class i abl (e)/ . It re- 
flects t e require e t t at a o g tra sitio s e abled b tesa eeet 

a d it differe t source states, priorit is gi e to a i er ost o e. e c oice 
a o g t ose i er ost o es is left ope as se a tic ariatio poi t (see t e 
c s CO struct i t e ra sitio electio rule). 

If a dispatc ed e e t does ot trigger a tra sitio i t e curre t state, it 

is lost u less it occurs i t e deferred set of t e deepest acti e state. is is 
for ali ed b t e folio i g predicate / rrabl o : 

f rrabl (e) = tr abl (e) = & / r( st) 

s suggested i [2 ], to store deferred e e ts e associate to eac age t a 
list® of e e ts / r t at is d a icall updated duri g t e co putatio 
(see rule ra sitio electio ). e ca t erefore de e / rr (e) to ea e 
/ r 

e call a deferred e e t r Z asabl e it beco es read to be co su ed, 
i.e. e it ca trigger a tra sitio i t e curre t state co guratio 
r I asabl (e) = tr f rr (e) & abl (e) = 

3. ttcrtir i us 

1 t is subsectio e de e t e rules for t e e ecutio of statec arts, i.e. 
e specif t e seque ces of states t at a object goes t roug , a d of t e actio s 

it ta es, i respo se to e e ts ic occur duri g its lifeti e [2 ]. 

ppare tl , lea es it u speci ed o to c oose bet ee dispatc ed 

a d releasable e e ts. e reflect t is b usi g a selectio fu ctio ic , at a 

o e t, c ooses eit er a dispatc ed e e t triggeri g a tra sitio , or a e e t 
t at as bee deferred. dispatc ed e e t, if / rrabl , as to be i serted 
i to t e f r . releasable e e t, e c ose for e ecutio , as to be 

bs r t at < is total si c all t sourc stat s of t tra sitio si a / d b lo g 
to c rr tat a d t r for t ar st d. 

ppar tl , t is list is a t to b a s t, 1 a i g t act ord ri g of 1 ts op 

as a s a tic ariatio poi t. si ilar r ark appli s also to ot r lists occurri g 

it t ts. 
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deleted fro f r is i plies t at e c oosi g a e e t ic is 

si ulta eousl is at h & d r I asahl , t at e e t ill be deleted fro t e 
deferred e e ts. 

e de e i t e e t sectio tee act ea i g of t e state ac i e e ecu- 

tio of a tra sitio , a el b a para eteri ed aero s 

is leads us to t e folio i g ai rule for select! g t e ac i e tra sitio to 
be e ecuted e t. 

I r siti cti 

c s e : is at h {e) \/ r I asahl (e) 

c s tra s\ irabl ra s(e) 

s {tra s) 

if / rrabl (e) t i s rt{ f r ) 
if r I asabl (e) t I t {e f r ) 

e rule for select! g a d e ecuti g a tra sitio res si ulta eousl , at eac 

“ru toco pletio step”, it a rule to ge erate co pletio e e ts. 

0 pletio e e ts are ge erated e a acti e state satis es t e I ti 

iti [4]. e trigger a tra sitio outgo! g sue states. acti e state is 

CO sidered co pleted if o e of t e folio i g cases occurs: ( ) it is a acti e 

pseudostate, (2) it is a seque tial co posite state it acti e al state, (3) 

t e state i ter al acti it ter i ates ile t e state is still acti e, or (4) it is a 
CO curre t co posite state a d all its direct substates a e reac ed t eir al 
state, e for ali e t is b t e predicate 

1 t {S) = tr s tat {S) r 

( q tial tat (S') & /i al{S) rr tat ) r 
t r i at (^(S)) r 
( rr t tat (S) & 

S rr t {) a h g t{ If) 

fi al{S ) rr tat {a )) 

ere t r i at (^(S)) is a deri ed predicate t at olds if a d o 1 if t e r 

of t e ^(>5'), ic for ali es t e i ter al acti it of S, reac es a al 

state. 

ac ti e t e CO pletio co ditio e aluates to true for a acti e state 
S t at is ot a direct substate of a co curre t state a co pletio e e t is 
ge erated. is is e pressed b t e rule r t p ti t t at is 

e ecuted si ulta eousl for eac state S rr tat . 

If upo cutio of tra sitio tra s, adfrrd t & d f r{so rc {tra s)) do s 
ot b lo g to d / r{targ t{tra s)), t it ust b d 1 t d fro d f r , as sp - 
cifi d as part of t r aero b lo . 

ould a ot r i t rpr tatio b it d d, ould probabl c a g t guard 

“if r I asa / ( ) i t ra sitio s 1 ctio rul to .g. “if r I asa I { ) ot 
dis atch d{ ) . 

is r strictio r fl cts t at i o dir ct substat of a co curr t stat ca 

g rat a tra sitio t. uc substat s ar r quir d to b s qu tial co posit 

stat s. 
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I r t p ti t 

f r rr tat 

if I t (S) & ^ rr t tat { tat (S')) 

t g rat ( I ti K^)) 

It oug t e order of e e t dequeui g is ot de ed, it is e plicitl required t at 
CO pletio e e ts ust be dispatc ed before a ot er queued e e ts [4]. e 
reflect t is require e t as a co strai tote o itored predicate is at h . 

e abo e t o rules, ic re si ulta eousl at eac r t I ti st , 

de e t e top le el be a ior of state ac i es. It re ai s to de e i 

ore detail t e ea i g of t e acros appear! g i t ose rules. 

e require e t t at a object is ot alio ed to re ai i a pseu- 

dostate, but as to i ediatel o e to a or al state [2 ], ca ot be guara - 
teed b t e rules t e sel es, but as to be i posed as a i tegrit co strai t 
o t e per issible ru s. 

3.6 u cr s 

e de e o t e subrule s ere para eteri atio b 

tra sitio s alio s us to odulari e t e de itio for t e differe t t pes of tra - 
sitio s a d t e i ol ed states. 

t t c i cuti . If a i ter al tra sitio is triggered, t e t e cor- 

respo di g actio is e ecuted (t ere is o c a ge of state ad o e it or e tr 

actio s ust be perfor ed). t er ise, if a e ter al tra sitio is triggered, e 

ust deter i e t e correct seque ce of e it a d e tr actio s to be e ecuted 
accord! g to t e tra sitio source a d target state, ra sitio s outgo! g fro 

CO posite states are i erited fro t eir substates so t at a state a be e i- 

ted because a tra sitio res t at departs fro so e of its e closi g states. If a 
tra sitio crosses se eral state bou daries, se eral e it a d e tr actio s a be 
e ecuted i t e gi e order, o t is purpose, e see t e i er ost co posite 
state t at e closes bot t e source a d t e target state, i.e. t eir I ast 
a st r. e t e folio i g actio s are e ecuted seque tiall : (a) t e e it ac- 
tio s of t e source state a d of a e closi g state up to, but ot i cludi g, 

t e least co o a cestor, i er ost rst (see aero ); (b) t e actio 

o t e tra sitio ; (c) t e e tr actio s of t e target state a d of a e closi g 

state up to, but ot i cludi g, t e least co o a cestor, outer ost rst (see 
aero r ); all (d) t e “ ature” of t e target state is c ec ed a d t e 
correspo di g operatio s are perfor ed. 

e seque tiali atio a d iteratio co structs de ed for s i [ ] pro ide 

t e CO bi atio of blac bo - ato ic step - ie a d t e ite bo - durati e 

- ie ic is ceded ere to guara tee t at e t e t o rules de ed 
abo e are e ecuted, all t e updates ic occur i t e acros de ed belo 
are perfor ed before te eteetis dispatc ed or beco es releasable. is 
be a ior is reflected b t e para eteri ed aero s ( ic 

CO stitutes t e bod oft e ra sitio electio ule). e acros appear! gi 
t is rule are described belo . 
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s {tra s) 

if i t r al{tra s) t a ti {tra s) 

s s q 

(s r {tra s) ) 
a ti {tra s) 

r { r targ t{tra s)) 
c s targ t{tra s) 

q tial tat : rl {targ t{tra s)) 

rr t tat : s r rr p {targ t{tra s)) 

ist r tat : r s r {targ t{tra s)) 

c s 

h r a = I a{s r {tra s),targ t{tra s)) 

= ir t b tat {a hai {s r {tra s) a )) 

r = ir t h tat {a hai {a targ t{trans))) 



a, d ir t b tat : — is de ed b 

ir t b tat {s ) = s iff s L Sz tat {s) = s, i.e. s is t e o 1 direct 
substate of s belo gi g to t e list . 

It re ai s to de e t e acros for e iti g a d e teri g states, a d for t e 
additio al actio s for seque tial, co curre tad istor states. 



iti t t s. If a tra sitio t at crosses t e bou dar of a co posite state 
res, e ust disti guis t o cases to perfor t e e its fro ested states i 
a order ic respects t e ierarc ical structure (see aero belo ): 

e age t is ot i side a co curre t flo (i.e. ar t{ If) = f). If t e 

age t is ( ) ot pare t of co curre t subage ts or (2) it is pare t of co cur- 
re t subage ts but eac subage t alread perfor ed its e it actio s, t e 

for eac state fro t e source state up to, but e cludi g, t e source/target 
least CO o a cestor state (see t e state ac i e ecutio rule abo e), 

i er ost rst, it seque tiall (a) stops t e i ter al o goi g acti ities, (b) 

perfor s t e e it actio s , a d (c) re o es t ose states fro t e age t’s 
curre t state, oreo er, it (d) updates t e istor (if de ed a d pro ided 

t at t e al state as ot bee reac ed), e ori i g i it all t e states it 
is e iti g i case of deep istor , or o 1 its direct acti e substate i case 

of s alio istor , a d (e) updates / r b deleti g all t ose e e ts 

ic are o ore deferred (see aero s q ic uses a aero 

rl r de ed belo ). I case (2) t e age t ust furt er ore 

update its f r to retai all deferred e e ts of its o but o e of 

t ose processed b its subage ts. i all it disco ects all its deacti ated 
subage ts (see t e correspo di g aero de ed belo ). 

2. e age t is i side a co curre t flo (i.e. ar t{ If) = f). e a e 

to CO sider t e t o cases, et er t e trigger e e t is rele a t for all t e 
subage ts ru i g i parallel it i t e co curre t state or ot. o t is 

purpose e c ec t at t e tra sitio source state belo gs to t e acti e state 

of bot t e age t a d its pare t ( e a subage t is created, it i erits 
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its pare t’s curre t state, t erefore at a ti e t e rr tat of t e pare t 

age t is a subset of its subage ts’ rr tat ). I t is case, eac subage t 

perfor s t e sa e seque tial it aero as i t e rst case, i.e. starti g 
fro its deepest state up to, but e cludi g, its pare t’s deepest state, it 
seque tiall (a) stops t e i ter al o goi g acti ities, (b) perfor s t e e it 
actio s a d (c) re o es t ose states fro t e age t’s curre t state, oreo er, 
it (d) updates t e istor (if de ed a d pro ided t at t e al state as 

ot bee reac ed) e ori i g i it all t e states it is e iti g i case of deep 
istor , or o 1 its direct acti e substate i case of s alio istor , a d (e) 
updates / r b deleti g all t ose e e ts ic are o ore deferred 
(see aero s q ). i all , t e age t is deacti ated, ea i g t at 

its rule is set to u def a d its curre t state to t e e pt set (see aero 
)• 

o CO sider t e case t at t e tra sitio source state belo gs to t e acti e 
state of at least o e but ot to all subage ts of a age t. e teeetis 

rele a t o 1 for t is subage t, a d t is age t perfor s t e seque tial e it 

as i case . 

(s t) if or t{ If) = f 

t if b g t{ If) = 

t s q (si) 

s if ti b g ts 

t s q / r ( If) := f r{ st{ If)) 

f] f ^ ) 

( ) 

s q {s t) 

s s 

if or t{ If) = f 

t if s rr tat ( If) & 

s rr tat ( ar t{ If)) 

t 

sq {S,S) 

( If) 





s s q 




(s t) 






h r 


= st{ 


If) 










S = st{ 


ar 


t{ m 








ti b 


9 


ts = a 


b g t{ 


If) ■■ 










rr tat {a 


) = 


oft e 


aero s q 




e use t 


e aero 


r I r 


be de 


ed belo . I 


de 


i g s q 


e 


use a fu ctio 



hist{s,S) ose alue depe ds o et er S' is a deep istor state or ot. 
hist{s, S) ields hai (s S) for deep istor , ir t b tat { hai (s )) 
for s alio istor . 
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s q (si) p t r u hai (s t) 

s q 

I I r {S) 

) 

rr tat := r ( rr tat ) 

s q 

if hist r { ) = f ^ fi al{S) rr tat 
t r {hist r {S)) := hist{s, S) 

P 



(o) 



I (a) := / 

rr tat (a) := 



s 



s fra b g t{ If) 

ar t{a)= f 



t ri t t s. tra sitio a a e a target state ested at a dept 
i a CO posite state. erefore, a state e closi g t e target o e up to, but 

e cludi g, t e least CO o a cestor ill bee teredi seque ce, outer ost rst. 

teri g a state ea s t at (a) t e state is acti ated, i.e. i serted i rr tat , 
(b) its e tr actio is perfor ed, a d (c) t e state i ter al acti it (if a ) is 
started. is is reali ed b t e aero r for ic e use t e aero 
s r de ed belo . e age t’s / r is updated b deleti g all 

t ose e e ts ic are o ore deferred i t e target state. 



r (s t) 



P t 
s 



r u 

q 

rr tat := 
tr ( ) 
s r 
s q 

/ r := 

P 



hai {s t) 

i s rt{ rr tat ) 

(S) 

f r f r(S') 



t r cti iti s. e a state is acti e, its i ter al acti it (if a ) is re- 
quired to be e ecuted. ppare tl , i ter al acti ities are i te ded as co curre t 

a d [4] i poses o particular sc eduli g co ditio s for t e . e odel t is b 

creati g a e rk r age t ose job is to e ecute t e acti it of its associated 

state. e rk r age t is created e t e state is e tered a d after its e tr 
actio as bee e ecuted. It recei es as progra t e ^{S) for ali i g t e 
state acti it . 



it 



a 



l{a):= (S) 

rk r{S) := a 



s r 



(S) t 
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si g a as rigorous replace e t for t e i tuiti e otio of “i ter al 

acti it ”, e obtai a at e aticall rigorous de itio it out loosi g ge e- 
ralit . I additio e a e t e otio of “o goi g” acti it precise b 

de i g it as steps of a i a ulti-age t distributed ru . 

If a acti it is aborted prior to its ter i atio as result of t e ri g of a 
outgo! g tra sitio , t e before lea i g t e state its associated or er age t is 
deacti ated si ce its job is ter i ated. is is perfor ed b t e folio i g aero 
ic is used for de i g s q 

rlr {S) I { rk r{S)) := / 

rk r{S) := f 

qu ti p sit t t s. tra sitio dra to t e bou dar of a se- 

que tial co posite state is equi ale t to a tra sitio to its i itial pseudostate 
[4]. erefore, e a co posite seque tial state is t e target state of a trig- 
gered tra sitio , t e co trol passes to its i itial state t at is i serted i rr tat . 

rl (S) rr tat := i s rt{i it{ ) rr tat ) 

ist r t t s. If a tra sitio i co i g to a istor state it i a co posite 
state res, t e co guratio of acti e states stored i its r is restored. 

erefore, eac state i t e istor is acti ated, i.e. it is i serted i rr tat , 
its e tr actio is perfor ed, its acti it is e ecuted, a d t e state is re o ed 
fro t e istor . e rig t e teri g order is guara teed b t e I structure 
of r . 

bser e t at e a state is e tered for t e rst ti e or its ost rece tl 
acti e state prior to its e it as t e al state, its istor (if a ) ust be e pt 

[4] . is is guara teed i our odel si ce e i itiali e eac istor state e or 
to t e e pt seque ce, delete it after usi g it, a d store ot i g i it e its 
e closi g state is e ited b a al state. 

rsr () ptru ?'() 

s q 

rr tat := i s rt{ rr tat ) 
tr ( ) 

s r {S) 

r ( ) := I t { r ( )) 

s q 

/ r ■■= f r f r(S') 

P 

curr t p sit t t s. If a tra sitio i co i g to a co curre t co - 

posite state res, t e flo of co trol is split i to t o or ore flo s of co trol. e 

curre tl acti e age t creates a e age t a for eac co curre t co po e t S' . 

11 1 e subage ts i erit t eir pare t’s progra to e ecute statec art diagra s, 

at o g ralit is lost d ri s fro ur ic ’s proof of t t sis i [ 3]. 
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its rr tat co guratio a d t e pare t’s list of acti e deferred e e ts. s a 
tra sitio dra to t e bou dar of a co curre t co posite state is equi ale t 
to a tra sitio to a of its co curre t co po e ts a d co seque tl to t e co - 
po e t i itial state, eac age t a acti ates t e co po e t S' a d its associated 
i itial state. 

s r rr p (S) 

tS,...,S= rr t () 

t it a , . . . , a 

f r in 

ar t{a ) := If 
f r (a) := f r (If) 

l{a):= n If) 

rr tat {a) := i s rt{ S i it{S )} rr tat ) 

e pare t age t ill sta d idle aiti g for t e ter i atio of its subage ts’ 
CO putatio . is is e forced b t e de itio of e a co curre t state is co - 
pleted to trigger t e co pletio e e t ic a e able t e tra sitio e iti g 
t e CO curre t state. e ru i g subage ts ca is t eir job eit er because 
of a CO pletio e e t ge erated b t eir pare t or b t e ri g of a e plicit 

e e t labeli g a tra sitio outgoi g t eir e closi g state. I our odel t e sub- 
states’ e it actio a d i ter al acti it abortio are perfor ed b t e 

aero, i as c ro i ed fas io . t er c oices are easil de ed odeli g our 

rules appropriate! . e docu e ts see ot to e tio t is se a ticall 

rele a t issue at all. 

r . I a CO curre t co pou d state S , a tra sitio tra s( g a) out- 
goi g fro a state S' i a co curre t co po e t a d i co i g to a state S sib- 
li g of S (see ig. .a), ca be ie ed as split i tot o tra sitio s (see ig. .b): 
a tra sitio tra s( g it t(S)) fro S to S , ere it t{S) 

is a e e t ge eratio actio , a d a tra sitio tra s( it t{S) tr a) fro 

S to S . o guara tee tee pected se a tics of statec arts, e i pose. 
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S ^ — 
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s ^ — 
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exitEvent/[true]a 
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(b) 





I t is cas t all ust a r ac d t ir fi al stat . 
ccordi g to [4] a actio lab li g a tra sitio a co sist i s di g a sig al. 
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as a i tegrit co strai to t e per issible ru s, t at t e e e t it t{S) 

ust be dispatc ed before a ot er e e t (see t e e e t a dli g ec a is 

i sectio 3.4). 

4 clqlc 1 Ics 

statec arts e co pass for otatio al co e ie ce so e co structs ic 
ca be de ed i ter s of basic co structs. ot to o erload our odel, e 
decided to i elude o 1 t e basic otatio s a d to s etc ere o to replace 
t e re ai i g co structs b co bi atio s of basic co structs. 

r - i s u st t s. rka, d j i pseudostates split a d erge tra siti- 

o s arri i g at, e a ati g fro , co curre t states, tra sitio to t e bou dar 

of a CO curre t co pou d state is equi ale t to a tra sitio to eac of its direct 

substates (a dt erefore to t eir i itial states), a da tra sitio fro t e bou d- 
ar of a co curre t co pou d state is equi ale t to a tra sitio fro t e al 

states of eac of its substates. erefore, t e for (resp. joi ) se a tics ca be 

obtai ed b alio i g o 1 i co i g (resp. outgo! g) tra sitio s t at ter i ate 

0 (resp. depart fro ) t e bou dar of co curre t states, a d i posi g t at 

eac CO curre t substate ust e close a i itial a d a al state. 

u cti s u st t . ti states are used o 1 to c ai toget er ul- 
tiple tra sitio s - t is is o as rg -, or to split a i co i g tra sitio 

1 to ultiple outgo! g tra sitio s labeled it differe t guard co ditio s - t is 
is o as iti al bra h [4]. 

u c i t t s. statec arts pro ide also s b a hi stat s, a s tac- 
tical CO e ie ce to facilitate reuse a d odularit [4]. sub ac i e state is 
o 1 a s ort a d t at i plies a acro-li e e pa sio b a ot er state ac i e 

a d is se a ticall equi ale t to a co posite state, ccordi g to t e e- 

ta odel, a sub ac i e state is of t e for stat ( tr it (4) i I {S )). 

e ca assu e t at eac occurre ce of a sub ac i e state is substituted b 
t e seque tial co posite state de ed b tr it (4) oreo er, e 

ide tif tra sitio s directl i co i g to, respect! el outgo! g fro , t e sub a- 

c i e state it tra sitio s directl i co i g to, respect! el outgo! g fro , t e 

result! g seque tial co posite state. 

tu t t s. stub state is ot i g else tea alias for a e tr poi t to or a 

e it poi t fro a state si S' of a sub ac i e state stat ( tr it (4) i I - 

(^)). 

iti structs. h stat s are used to s c ro i e t e e ecutio 

of CO curre t substates. eir se a tics ca be gi e b slig tl odif i g t e 
abo e for ali atio of co curre t states. 



ub ac i stat s ar 



r CO curr t [4]. 
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cl s 1 r 

1 t is sectio e discuss so e a biguities i t e official se a tics of [4, , 

2 ] ic are resol ed i t e odel. e also so o require e ts 

for state ac i es are satis ed b our odel. 

e state ac i e e ecutio is for ali ed t roug t e aero s 

(i o ed b t e rule ra sitio electio ) t at reflects t e sc e e of 
a ge eric co trol ac i e. ese statec arts ge erali e t e al s 

de ed i [6]. 

ur odel reflects all t e c aracteristics of t e state ac i es eta odel i 
[4] a d adds to its structural, static de itio t e u derl i g co trol flo se a - 
tics. subtle questio regards tee ecutio of o goi g state acti ities. at 
does appe e a i ter al tra sitio occurs? oes t e acti it i terrupt a d 
t e restart fro t e sa e co putatio poi t, or does it e er i terrupt? e 
a e odel i ter al acti ities guara tees t e seco d, to our u dersta di g 

reaso able, alter ati e. Ho e er, our odel ca be easil adapted to for ali e 
ot er be a iors. 

replaci g t e u de ed ter s of “actio ” a d “acti it ” it (possi- 
bl structured, i t ese seof[ ])“ rule”, e pro idea precise at e atical 
CO te t to t ese ter s it out loosi g t e ge eralit i te ded b t e desig ers 
of (see i t is co ectio ure ic ’s proof of t e t esis [3]). ur 

odel also pro ides a precise ea i g of t e ague ter “o goi g i ter al 
acti it ”, a el as e ecutio of a i a ulti-age t distributed ru as 

de ed i [2]. e seque tiali atio , iteratio a d sub ac i e co structs de- 
ed for s i [ ] clarif i at se se seque ces of ested e it a d e tr 
actio s ca be guara teed to be e ecuted i o e “ru to co pletio step”, as 
postulated b t e docu e ts, a el before teeteet a trigger 

t e e t “step”, ur odel also a es so e se a ticall rele a t features 
e plicit ic see ot to a e bee co sidered i t e official docu e ts. 

e eral se a tics for statec arts a e bee proposed i t e literature [2 ]. 
ost of t ese are co cer ed it odeli g Harel’s statec arts, ose se a tics 
is rat er differe t fro state ac i es (e.g. i t e e e t a dli g polic ). 

It oug our odel ca be adapted to grasp sue differe ces, our i te t is 
to de e t e state ac i e se a tics up to t e degree of precisio o e 

ca reac it out co pro isi g t e desired freedo of t e so called “se a tic 
ariatio poi ts” . 

iffere tl fro t e for ali atio of state ac i es i [ ,9], our 

odel reflects t e origi al structure of ac i es as described i t e do- 
cu e ts, it out i posi g a grap ical tra sfor atio or flatte i g of dia- 

gra s. [ ] uses grap re riti g tec iques to tra sfor state ac i es 

i to a “ or al for ” ac i e, it out co sideri g t e e ecutio of actio s 
a d acti ities. e odel i [ 9] lea es out so e state ac i es features, a d 

so e are co ered b ea s of se a tical equi ale ces ic , o e er, do ot 

.g. t r abortio of i t r al acti iti s a d it actio s of co curr t ag ts 
s ould b s c ro i d or ot. 
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al a s respect t e eta odel co strai ts (see [4], pp. 2- 26). ori sta ce, 

e tr /e it actio s i a state are replaced b attac i g sue actio s respecti el 
to t e state i co i g/outgoi g tra sitio s, ereas t e eta odel asserts t at 
t e ultiplicit of Action! Transition is , t at is o or e actl o e actio 
a label a tra sitio . 

I [ 7] t e operatio al be a ior of state ac i e co structs is described 
usi g pseudo-code i a a ic i a places i eludes sped c i pie e ta- 
tio decisio s( ostl it out stati gt e ), ereas e tried to let t ei te ded 

se a tic ariatio poi ts of sta d out e plicitl as sue . 

r c s 

bstract tat ac i s. http://www.eecs.umich.edu/gasm/. 

2. atio al oft ar or oratio , ifi d od li g a g ag , rsio . , 

999. 

3. . otatio , 999. ( ublis d as part of [2]). 
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-43. pri g r- rlag, 999. 

7. . org r, . a arra, a d . iccob . a tics for cti it 
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s. I r ich stschrift 2 ,2 . ( o app ar). 
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I / ’8 orksho o ormali i g . h a d o ?, ctob r 99 . 

. ra c , . . as, . . a o, a d . up. lopi g t as a 

for al od li g otatio . om t r ta dards adit rfac s cial Iss s o 
ormal lo m t ch iq s, cc pt d for publicatio , 99 . 
arti ogolla ad ra c sco arisi- r sicc . tat diagra s i : for al 

s a tics usi g grap tra sfor atio s. I a fr d ro , r k ol a , o 
aibau , a d r ard u p , ditors, roc di gs ’8 orksho 

0 r cis ma tics for od li g ch iq s. c isc i rsitat ii c , 
-19 3, 99 . 

2. Y. ur ic . ol i g Ig bras 993: ipari uid . I . org r, ditor, cifi- 

catio a d alidatio thods, pag s 9-36. ford i rsit r ss, 995. 

3. Y. ur ic . qu tial bstract tat ac i s captur qu tial Igorit s. 

ra sactio s o om tatio al ogic, ,2 . ( o app ar). 

4. . ar 1 a d . r . cutabl bj ct od li g it tat c arts. om t r, 

1 om t r oci t , 3 (7):3 -42, 997. 

5. . ar 1 a d . Naa ad. a tics of tat c arts. 

ra s. oft. g. m thod, 5(4):293-333, 996. 

6. . ar 1 a d . oliti. od li g acti st ms ith tat charts. c ra - ill, 
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7. I a altor a d o a ilius. or alisi g stat ac i s for od 1 c cki g. 
I ob rt ra c a d r ard u p , ditors, ’ - h ifi d od li g 

a g ag . o d th ta dard. co d I t r atio al o f r c , ort olli s, 
, , cto r 28- . , roc di gs, olu 723 of . pri g r, 999. 

pr cis group, http://www.cs.york.ac.uk/puml/. 

9. . ggio, . st sia o, . opp , a d . uss a . al si g cti 

lass sad ssociat d tat ac 1 s - ig t ig t or al pproac . I 
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( 0 app ar). 
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Robert sc bac , e 


lasser , 
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o puting 
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ni rsit of Kais rslaut rn, 
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H in i dorf Institut , ni rsit of ad rborn, 
-33 2 ad rborn, r an , 
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c In o b r 999, a n rsion of ( cificati a d 

scri ti a g ag ) call d -2 has pass d I , an int rnatio- 
nal standard! ation bod for t 1 co unication. is a fairl co pi , 

graphical for al d scription t chniqu for th d lop nt of distribut d 

s st s, and has b n broadl us d in industr for an ars. fforts to 

d fin th s antics of -2 for all ha start d arl in 99 . 

no , a draft for al s antics is a ailabl , hich is d t r in d to b co 
th official for al s antics aft r its appro al in 2 . It is bas d 

on th for alls of stract tat achi s ( s), hich has b n 

s 1 ct d for s ral r asons including int lligibilit and cutabilit . 

h for al s antics of addr ss s th static s antics, transfer a- 

tion rul s, and th d na ic s antics, h approach tak n to d fin th 

d na ic s antics is particular! int r sting. Ithough basicall b ing 
op rational, it diff rs fro isting approach s in s ral a s. In this 
pap r, addr ss and highlight so of th s diff r nc s, using a si pli- 
fi d sp cification languag call d inst ad of . In d hning a for al 
d na ic s antics for , for all d scrib an abstract achin , a 

co pilation function apping sp cifications to cod of this achin , 
and an op rational d hnition of th s t of initial stat s, using as 

th und rl ing for alis . urth r or , pr s nt in so d tail th 
s antics of proc dur calls. 



I tr d ct 

ince 976, ( peci cation and escription anguage) is an I standar- 

di ed language for t e develop ent of distributed real-ti e s ste s in gene- 
ral, and teleco unication s ste s in particular. it its grap ical s nta , its 
object-oriented features, its direct support for reuse, and its integration it 

is d fin d b th I - , th 1 co unication tandardi ation ctor of th 
Int rnational 1 co unication nion (I ),inth ir c mm dati Z. [2 ]. 

ur c a . ( ds.) pp. 4 — 6 

(c) pr g r- r ag r d rg 
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ot er develop ent languages, satis es t e pri ar needs of s ste deve- 
lopers. oda , is being broadl applied in industr , and is being supported 
b po erful co ercial tool environ ents. 

In 9 , t e se antics of as been de ned for all , upgrading t e langu- 
age to a for al description tec nique ( ). is for al de nition as been 

updated and aintained for subsequent versions of t e language in 992 
and 996. uilding on a co bination of t e eta language eta-I it 

a -like co unication ec anis , t e for al se antic odel provides a 
CO pre ensive for ali ation of all static and d na ic aspects of , t oug , 
it is ardl anageable because of its si e . ssentiall , t e for al se antics 
is given b a set of eta-I progra s t at take an sped cation as input, 

deter ine t e correctness of its static se antics, perfor a nu ber of transfor- 
ations to replace non-basic language constructs, and interpret t e speci cation. 
It as been argued t at t is st le of de ning t e for al se antics is particular! 
suitable for tool builders. 

In ove ber 999, a ne version of t e language, called -2 , as been 

approved as international standard. In addition to t e usual language ainte- 
nance, -2 offers i portant ne features, including object-oriented data 
t pe de nitions, a uni ed concept for blocks, processes, and co posite states, 
and e ception andling. ased on t e assess ent t at t e e isting eta-I pro- 
gra s ould be too difficult to update and aintain, it as decided to conceive 
a ne for al se antics for -2 fro scratc . or t is purpose, a special 
task force, t e s a ti s gr , consisting of e perts fro er an and 
ina including t e aut ors of t is paper, as for ed. e draft for al se an- 
tics de ned b t is group (see [24]) as been deter ined to beco e t e official 
for al se antics after its approval, ic is e pected for ove ber 2 
ong t e pri ar design objectives of t is approac is i t igihi it and con- 
ciseness of t e for al description as a prerequisite for acceptance, correctness 
and aintainabilit . dditionall , tahi it as beco e a ke issue. e- 
cutabilit calls for an operational for alls it readil available tool support. 

or t is and ot er reasons (cf. [ ]), bstra t tat a hi s ( s) ave - 

nail been selected as t e underl ing for alls . o support e ecutabilit , t e 
for al se antics de nes, for eac speci cation, corresponding code. 

is differs substantial! fro t e interpreter vie taken in previous ork, and 
enables -to- -co pilers. us, given t e availabilit of an -to- 
co piler, it ill be straig tfor ard to generate reference i pie entations. 
e approac taken b t e se antics group to for ali e t e d na ic se- 
antics of -2 , t oug basicall operational, differs in several aspects fro 

t e approac taken to de ne t e se antics of - t roug -96, and also 
fro t e st le of ot er approac es (cf. [2, ]): 

— e st le of t e se antics as t e c aracteristics of a i r a rah, 
as CO pared to t e interpreter approac c osen, for instance, to de ne t e 

h CO pi t for al s antics for -96, as d fin d in nn to Z. , is do- 

cu nt d on or than 5 pag s of ta-I d scriptions. 
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se antics of - t roug -96. co piler usuall perfor s le ical 
and s ntactic anal sis functions, just like an interpreter does, nlike an 
interpreter, co pilers produce e ecutables for so e kind of ac ine, instead 
of e ecuting a version of t e source directl . us, t e source is vie ed as a 
collection of instructions rat er t an a data structure. 

— In practice, processing speci cations into an abstract s nta representation 
is si pier and faster t an co piling it into so e kind of e ecutable code, n 
t e ot er and, co pilation into code directl enables e ecutabilit . ere 
is a tec nique to co bine t e advantages of bot approac es, na el : t e 
generation of abstract code ’’running” on an abstract ac ine. e 

se antics group as devised an hstra t a hi , for s ort, ic 

is de ned in ter s of a distributed real-ti e . speci cations are 
t en CO piled into t e instruction set of t is ac ine. 

— o pared to t e standard tec nique for de ning t e set of initial states of 

an odel — usuall t is is done in an a io atic or declarative st le — 

a realistic se antic odel of requires a different approac . olio ing 
t e vie of Z. on o initial s ste states are derived fro given 
speci cations, t e odel starts its e ecution fro a set of so-called 

r i itia states t at are canonicall de ned. e actual set of initial states 
is t en deter ined in an operational a as result of an i itia i ati has . 
is a , t e initiali ation p ase and tee ecution p ase a even overlap. 

ue to t e CO pie it of -2 , t e for al se antics is of substantial si e. 

erefore, in order to present and illustrate t e application of t e basic tec ni- 
ques above to t e de nition of t e se antics, e ave c osen a ver s all 
language called ( i ifi ati a g ag j. In t e folio ing, e de ne 

an abstract ac ine for , a co pilation function apping speci cations 
to code running on t is ac ine, and t e initiali ation and e ecution p ases. 
oreover, e present in ore detail t e se antics of procedure calls, ur 
odel of procedure se antics alio s for call-b -value and call-b -reference se- 
antics and supports t e concept of static binding. 

aking into account t at t e ork reported ere is not an acade ic e ercise, 
but takes place in a real-life industrial setting, prag atic co pro ises are una- 
voidable. or t is reason, so e decisions taken in t e for ali ation of t e 
(and ence ) se antics are rat er prag atic or strongl influenced b t e 
e perts. In our opinion, sue ork is crucial to de onstrate t e usefulness 
of for alls s sue as s. In t is sense, t e paper reports on ork t at is still 
in progress, but ic as reac ed a stage ere ost ’’design” decisions ave 
been taken, and a sufficient! stable draft is available (cf. [24]). preli inar 
version of t is paper can be found in [7]. 

is paper is organi ed as folio s. ection 2 gives an overvie on related ork. 
rag atic aspects of our for ali ation approac are brief! discussed in ection 
3, ile ection 4 provides an overvie of t e for al e antics for -2 

uit oft n, an initial stat S is d fin d through a s t of first-ord r for ulas 
, . . . ,Lp such that S \= Lp A ... A ip . 
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ection introduces t e language . ection 6 de nes t e abstract co pi- 
lation of speci cations to progra s. ection 7 de nes t e ab- 
stract ac ine ( ). ection describes t e initiali ation. ection 9 presents 

conclusions. roug out t is paper e assu e t e reader to be fa iliar it 
urevic ’s notion of (cf. [4, ,6]). 

2 ltd r 

Regarding t e i portance of as a practical tool for industrial s ste s en- 
gineering, it is certainl not astonis ing t at in addition to activities it in 

I , t ere is a considerable variet of atte pts to for ali e t e se antics of 
using various for al et ods. ccording to t e principal objectives be- 
ind t ese atte pts, one can distinguis t o basicall different aspects, na el : 
( ) approac es t at are ainl concerned it anal sis and veri cation of 
s ste speci cations; (2) approac es t at are ainl concerned it for al 
docu entation, aintenance and validation of t e language de nition. 

2. s s ret 

In [ ], ergstra and iddleburg de ne a r ss a g bra se antics of a restricted 
version of , ic t e call (p ( ere (/? stands for “flat”), as it does not 
cover t e structural aspects of . dditionall , t e introduce a restricted 
notion of ti e to si plif ti e related concepts of . e aut ors clai to 
ave convincing prag atic justi cation for t eir c oices; for instance, t e argue 
t at r s p rs f and an adequate se antics for it 

rprrqssfr s s f r r . fter all, t e 

deplo an i pressive at e atical apparatus aking it difficult to see et er 
ip is relevant in practice. 

ro [4], Hoi and t len [ 9], and Hinkel [ ] odel various subsets of (es- 
sentiall ) asic using denotational se antics based on sir a r ssi g 
f ti s of [ ]. ile it a be natural to odel process co - 

unication as discrete strea s of signals, t e functional vie does neit er sup- 
port t e concept of s ste states and state transitions nor alio ste strea 
for alls for an adequate treat ent of ti e. ven t e ost co pre ensive o- 
del [ ] builds on a funda entail restricted notion of g ba s st ti not 

alio ing to e press ti e quantities e plicitl . In particular, it is not possible to 
specif an quantitative dela s as required for dealing it t e ti er concept of 
. ince tee piration ti e of a ti er does not refer to a global s ste ti e 
(as represented b t e e pression ), t e eaning of an active ti er is 
reduced to t e fact t at a ti er signal ill eventuall be generated (after so e 
nite dela ). is results in a severe oversi pli cation.^ 

It is c rtainl right that th curr nt d finition of n ds furth r i pro nts 
alio ing a or d tail d and or pr cis insp ction of ti ing b ha ior (s for 
instanc [22]), .g. to d t r in d la scans db ti consu ing op rations; on th 
oth r hand, an r asonabl approach to o rco th s d fici nci s cannot an to 

r plac th curr nt ti cone pt b an n or pri iti on , as don in [ ]. 
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isc er, i itrov and auber propose an e tended etri et odel, so-called 
i ts, as a for al basis to verif protocol sped cations [ ], [9]. 

e transfer ation of speci cations into corresponding net odels as ell 
as t e transfer ation of results back to t e level is done auto aticall 
it in t e Integrated ools nviron ent I . oug t ese transfor- 
ations, in principle, re ain invisible for t e user, t e aut ors concede t at 
certain kno ledge is necessar about t e internal data structures of t e anal - 
sis tools, oreover, t e integration of furt er net anal sis algorit s is difficult 
and requires detailed kno ledge about t e internals (like interfaces, structure 
and representation for ats) of t e tools. 



2.2 cu t t t 

n a bitious atte pt ai ing at a co pre ensive for al se antics for -92 
as a basis for furt er develop ent of as started b au and rin it 

t eir de nition of {as ) [2 ]. it t e ulti ate goal to si plif 

t e language de nition, t e proposed a odeling approac using hj t Z to 
de ne a universal r for as a conceptual fra e ork to deal it t e ain 

building blocks of t e language. is core s ould be as clear and concise as pos- 
sible, et it s ould include t e basic odel of processes and co unication, all 
t e object-oriented concepts and parti also structuring concepts. e eaning 
of additional language constructs (not andled it in t e core) s ould t en be 
ed b de ning t eir transfer ation to t e core. In t at respect, t e 

approac is si ilar to t e original for al odel of , but suggests a ore 

s ste atic and robust construction of a for al se antic odel. Ho ever, t e 
bject-Z de nition of as rejected b t e I even before t e ork as 

CO pleted. 

Regarding furt er develop ents of to ards -2 , an approac based 

on tra siti s st s generated fro attributed abstract s nta trees ( s) 

is outlined in [ 3]. n attribute gra ar is for ed b adding evaluation rules 

to t e abstract gra ar of t e language, ere attributes for instance a 
represent a ti s. is a , one obtains for eac co plete speci cation an 
attributed containing all t e infer ation required to generate a be avior 

odel. e underl ing at e atical odel and t e notation are not deter ined, 

ic leaves roo for subsequent c oices. 

In [ 2] and [ ], an be avior odel for asic -92 is de ned. tarting 

fro an abstract operational vie , t e d na ic properties of asic -92 are 
for ali ed in ter s of an abstra t i t r r t r based on a istrib t r a 
ti odel. is ork provides a conceptual fra e ork t at as furt er 

been developed and e tended b co bining it it t e co piler-based approac 
fro [ 3] , as ell as certain concepts fro [2 ] , resulting in a robust for al 

basis for t e de nition of an be avior odel for -2 , as discussed 



ere. 
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3 r t c d t 

is section addresses funda ental questions concerning t e practicabilit , sui- 
tabilit and robustness of our for ali ation approac . e pri ar focus ere is 

on prag atic aspects rat er t an on tec nical details. at is, e tr to e plain 

at a conceptual level distinctive features of our be avior odel. In particu- 
lar, e tr to ans er t e question, ” and o does t e abstract operational 
vie of t e et od in co bination it t e co piler approac practiced 

ere naturall eet t e de ands on for al docu entation, language ainten- 

ance and tool develop ent as arising fro t e standardi ation process?” . 
Industrial engineering of co pie distributed s ste s based on , as alread 
outlined in ect. , as quite a tradition in teleco unication tec nolog . ean- 

ile, one can as ell observe an increasing proliferation of applications in 
various elds of infor ation tec nolog (e.g., engineering of distributed control 
s ste s). ike t e develop ent of over its life c cle, t is progress as been 
influenced b t e apparent convergence of infor ation tec nolog and co u- 
nication tec nolog . 

o eet t e needs of s ste design e perts, t e language as been continuous! 
i proved over a period of ore t an 2 ears, evolving fro a pri itive gra- 
p ical notation to a sop isticated for al description tec nique, according to t e 
de ands on industrial s ste s tec nolog . onsequentl , t e underl ing langu- 
age concepts closel reflect t e vie and t e intuitive understanding of s ste 
be avior and s ste structure of t ose o ave ainl contributed (t roug 
t eir practical e perience) to t e develop ent of (cf. t e standard litera- 
ture, e.g. [23,6]). Hence, in order to gain acceptance, an realistic atte pt to 
for ali e t e se antics of it t e intention to facilitate language design 

and validation of i pie entations t erefore cannot succeed it out supporting 
t e intuitive understanding of ell establis ed concepts (including functio- 
nal, structural and ti ing aspects) as de ned in Z. 



3. str ct p r t 

e proble of ” turning nglis into at e atics” is considerabl si pli ed b 
a close correspondence bet een t e sped cation et od and t e se antic odel 
to be for ali ed. In fact, t is alio s for ore natural and adequate abstractions 
resulting in ore co pre ensible and ore reliable descriptions. iven t e de - 
nition of in Z. , it akes perfect sense to for ali e d na ic properties of 

speci cations as abstract ac ine runs since t is st le of odeling directl 
reflects t e abstract operational vie of t e infor al language description, on- 
ceptuall , t e effect of actions and events as associated it a ti objects 

(i.e., t ose objects t at ave a be avior) on t e global s ste state is stated in 
ter s of t e effect of operations on abstract ac ine states. 

or instanc , as it possibl to li inat a nu b r of cu b rso in-languag trans- 
for ations (sp cifi d b so-call d d I cti s) fro Z. b d fining th a- 
ning of c rtain non-basic constructs dir ctl in th for al b ha ior od 1. 
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ore sped call , t e resulting abstraction depends on t e gra arit of ab- 
stract ac ine operations speci ed b t e instruction set. Ideall , t is 

granularit is sue t at all relevant effects on t e s ste state are ig lig ted, 
ereas inor operational details re ain idden in t e functions and predicates 
on top of ic t ese operations are for ulated. dditional details a t en 
be introduced t roug step ise re ne ents sue t at t e st le of representa- 
tion graduall turns fro declarative to operational ile crossing abstraction 
levels.® 

ssential for a direct and concise encoding of be avior pri itives in 
notation is of course a close correspondence of t e underl ing co putation o- 
dels. In t at respect, t ere are t o observations concerning our odeling ap- 
proac : 

e vie of distributed s ste s it real-ti e constraints and t e 
se antic odeling concept of distributed real-ti e clearl coincide. 

at is, essential properties of t e underl ing co putation odels - na el , 
t e notions of concurrenc , reactivit and ti e as ell as t e notion of state - 
are so tig tl related t at t e co on understanding of can directl be 
converted into a for al se antic odel avoiding an for ali ation over ead. 

ven it out direct support of object-oriented features in s, t e resul- 
ting odel of t e d na ic se antics is particular! concise, readable 

and understandable, urt er ore, t is odel can easil be e tended and 
odi ed as required for an evolving tec nical standard, e ond t e purpose 
addressed ere, t e odel a as ell be utili ed for de ning a bri gi g s 
a ti s in order to CO bine it ot er odeling languages (e.g., 

and H ) . 



3.2 rr ct ss t 

e ning se antics b a apping to a ell de ned se antic basis, as reali ed b 
t e CO pilation of speci cations into code, is a ell-kno n tec nique, 

but is often considered to be as dangerous as elpful. f course one a argue 

t at t is leads to t eold”t e co piler de nest e language se antics” proble : 
” o validates and/or veri es t e correctness of t is apping and it respect 

to ic origin?” . 

o ,t e question ere is: ” Ho can one establis t ata/r a se antic odel 
like t e be avior odel of fait full reffects t e intuitive understan- 
ding of , i.e. ields a valid interpretation of t e de nitions in t e language 

reference anual?” . ince t ere is no a of proving correctness (in a strict 

at e atical sense), t e approac taken ere is to construct an be avior 

n illustrati a pi is th abstract d finition of th b ha ior od 1 for 
chann Is (s [24]). ploiting th d c ntrali d organi ation of th und rl ing 

signal flo od 1, th ntir static infor ation on th s st structur and th 
r achabilit constraints ar co pi t 1 ncapsulat d into a pr dicat compatible, 

hich can th n b r fin d b introducing t chnical d tails on ho this infor ation 

is to b d ri d fro a gi n sp cification. 
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odel t at reflects t e d na ic properties of t e language so closel t at cor- 
rectness can be establis ed b observation and e peri entation. In ter s, 
sue a odel is called a gr , cf. [2]. e qualit of ground odels 

considerabl depends on t e underl ing abstractions for dealing it real- orld 
p eno ena, i.e. on t e a in ic basic objects and operations of a ground 
odel are related to basic entities and actions as observed in t e real orld. 
Investigating t e construction of ground odels (as part of t e anal sis and 
design process), one can identif general principles for justif ing t eir appro- 
priateness and validit . In [2], gon orger convincing! argues t at t is justi - 
cation process as t ree basic di ensions, na el : a conceptual justi cation, an 
e peri ental justi cation, and a at e atical justi cation, ccording to t is 
understanding, t e best e can ac ieve is a solid prag atic foundation. 



4 r ft rl tes 

e de nition of t e for al se antics of -2 is structured into t e follo- 
ing ajor parts: 

— gra ar, 

— ell- for edness conditions (static se antics), 

— transfer ation rules, and 

— d na ic se antics. 

e gra ar de nes t e set of s ntacticall correct speci cations. In t e 
standard, a concrete te tual, a concrete grap ical, and an abstract gra - 
ar are de ned using it so e e tensions to capture grap ical language 

ele ents. e abstract gra ar is obtained fro t e concrete gra ars b 
re oving irrelevant details sue as separators and le ical rules. 

e f r ss iti s i pose additional conte t constraints on s ntac- 
ticall correct speci cations, sue as ic na es it is alio ed to use at a given 
place, ic kind of values to assign to variables, etc. 

or so e language constructs, t e for al se antics is not provided directl , but 
t roug tra sf r ati r s. ese rules de ne o a given speci cation is to 
be transfer ed in order to replace t e language constructs b basic language 
ele ents, and are for all represented as re rite rules. 

inall ,te a i s a ti s is given to s ntacticall correct speci cati- 
ons satisf ing t e ell-for edness conditions, after application of t e transfor- 
ation rules. e d na ic se antics consists of t e folio ing parts as illustrated 
b gure . 

— e bstra t a hi ( j de nes basic signal flo concepts of 

sue as signals, ti ers, e ceptions, and gates in ter s of t e odel. 

urt er ore, agents are special! ed to odel agents in t e conte t of 
inall , several signal processing and be avior pri itives - in a sense 
t e abstract ac ine instructions of t e - are prede ned. 
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— n bstra t a hi r gra de nes a set of co putations. o - 

putations consist of an initial! ation p ase and an e ecution p ase. 
progra s ave prede ned parts t at are t e sa e for all sped cations, 
and variable parts t at are generated fro t e abstract s nta representa- 
tion of a given speci cation. 

- e i itia i ati andles static structural properties of t e speci cation 

b recursivel unfolding all t e static objects of t e speci cation. In fact, 
t e sa e appens during tee ecution p ase en ne agents are 

created d na icall . ro t is point of vie , t e initial! ation is erel 

t e instantiation of t e s ste agent. 

- e i ati f ti aps be avior representations into t e 

pri itives. is function a ounts to an abstract co piler taking t e 
abstract s nta tree ( ) of an speci cation as input and trans- 

fer ing it to t e abstract ac ine instructions. 

— e ata s a ti s is separated fro t e rest of t e d na ic se antics b 
an interface. e use of an interface is intentional at t is place. It ill alio 
to e c ange t e data odel, if for so e do ain anot er data odel is ore 
appropriate t an t e built-in odel. oreover, also t e built-in 

odel can be c anged t is a it out affecting t e rest of t e se antics, 
t us en ancing its aintainabilit . 

s in t e past, t e ne for al se antics is de ned starting fro t e abstract 
s nta of , ic is docu ented in t e standard, ro t is abstract 
s nta , a be avior odel t at can be understood as abstract code generated 
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fro an sped cation is derived. e d na ic se antics associates, it 
eac speci cation, a particular distributed, real-ti e . Intuitivel , an 

consists of a set of autono ous agents cooperative! perfor ing concurrent 
ac ine runs. is approac differs substantial! fro t e interpreter vie taken 
in t e previous se antics de nition, and ill enable -to- co pilers. 

onceptuall , one can identif t ree basic la ers at ic our se antic odel 
of is actuall de ned (eit er e plicitl or i plicitl ), na el : 

(2) t e CO pilation function, 

( ) t e arc itecture, and 

( ) t e se antic odel of distributed real-ti e 

Regarding la ers (2),( ), it is not a priori ed ic aspects of be avior are 
subject to odeling at ic one of t ese t o la ers. oug , in principle, 

speci c aspects depending on a given speci cation t picall oug t to be 
encoded into t e co pilation function, ereas invariant d na ic properties 

are ore naturall e pressed in ter s of t e odel. inall , to keep t e 

for ali ation as concise and elegant as possible, all aspects t at bot co puta- 
tion odels ( and ) ave in co on are preferabl given i plicitl b 
apping be avior pri itives directl onto corresponding pri itives of t e 
underl ing odel at la er ( ). 

splitting t e de nition of t e be avior odel into t e above la ers, one 
obtains a fie ible fra e ork for se antic odeling t at alio s for natural and 
adequate abstractions, transparent and ell de ned for ali ation, and fie ible 
rearrange ents on t e basis of an e ecutable se antics. 

: pi p c c t 

In order to illustrate our approac to t e for al -2 se antics and t e 
application of t e basic tec niques introduced in section e ave c osen a 
ver s all language called ( i pie peci cation anguage). is unt - 
ped, and is based on a s all nu ber of state ents including assign ent and t e 
conditional state ent. urt er ore, an - peci cation a contain proce- 
dure de nition and procedure calls. procedure de nition can contain reference 
para eters and value para eters. 



. s cs 

e s nta of is given belo . e use as a prede ned le ical unit and 

describe t es nta using a variant of ( ackus- aur- or ). ore precisel 
e ill just give an ahstra t s ta of t e language. e assu e t e concrete 
s nta to be andled b an ordinar parser t at provides us it t e abstract 
representation in ter s of t e abstract s nta . 

lease note, t at e use pre es in t e s nta to ake t e role of t e ite s 
clear, re es are separated fro t e nonter inal na e b a re es do 

not ave a se antics. 




252 



R. schbach t al. 



.2 pcct s rcurs 

n sped cation describes a concurrent s ste . It is given as a list of varia- 
bles, a list of local sped cations, a list of locall de ned procedures, and a ain 
e pression. o e ecute an speci cation cans to rst start tee ecution of 
t e enclosed speci cations and t en to evaluate t e ain-e pression. e 
enclosed speci cations evaluate t eir ain-e pression concurrent! it . 

ss p ::= sp - r ss p pr r f 

- pr ss 



specification Hanoi 
procedure hanoi (ref x,y,z, val n) 
if n = 1 then 

x:=x-l;z:=z+l; return; 
else 

call hanoi(x,z,y,n-l) ; call hanoi(x,y,z, 1) ; 
call hanoi(y,x,z,n-l) ; return; 
end hanoi 

var x , y , z , n 
begin Hanoi 

X := 4; y := 0; z := 0; n := 4; call hanoi(x,y,z,n) ; 
end HcUioi 



p cification Hanoi 



procedure is given as a list of its para eters and an e pression for t e bod . 



pr r f pr 

pr 

r f r ::= 



r f r r r 

f - pr ss 



.3 pr ss s 

pressions in t e scope of include also t e usual be avior of state ents. In 
t is case, t eir return value is si pi ignored. e nonter inal f t denotes 
constants (like and ) as ell as functions (as -I- and -). e eaning of 
t ese constructs is supposed to be part of t e language. e se antics of f pr, 
r , ss g t, pr , pr t r and q t is as usual, or s q , 
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t ese antics is t e sequential interpretation of t e sube pressions. e resulting 
value of t e s q is t e last one. 



pr ss 


::= 


f t 




1 f 


Pr| 


r 


1 
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t ::= 






pr 


ss 
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::= 
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f- 




pr 


ss 


pr t 


r ::= 


pr 


ss 











lease note, t at t e s nta do ain na es are also used as t e constructors for 
t e s nta tree. sa pie sped cation can be found in gure 2. 

6 pit 

e CO pilation de nes a apping fro t e be avioral part of t e abstract 

s nta into be avior. In fact, an abstract code is de ned as t e result of 

t is apping. e be avior belonging to t e be avior pri itives in t e abstract 

code is de ned it in section 7. 

6. s cs 

In t is section, e de ne a co pilation function for speci cations and for 
procedures. 

p p : ss p t ^ s r 

p r:pr r f^ s r 

or t e representation of code, e use a special labeling, ac instruction as 
a label attac ed to it. e speci cation keeps t e infor ation of t e current 
label and selects t e instruction to process according to t is label. erefore, e 
introduce a static do ain . e abstract code is t en a set of instructions 
and an instruction a tuple consisting of a label and a pri itive. 

sr = I s r -st 

I s r = X r 

e CO piled code of all speci cations and procedures is erged toget er in t e 
initial state, peci cations and procedures are c aracteri ed b t e functions 

r p : ss p t ^ , 



r r 
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ic return t e entr labels, or e introduce t e folio ing pri itives. 

gain, t e pre es are it out se antic relevance. 



= f U fu 
f = X value- 

f = condition- 
r = X ne t- 

ss g = X value- 

= X value- 



rU ssgU Ur r 

X ne t- 

X t en- X ne t- 

X ne t- 

X ref- X ne t- 



r r = value- 



In order to de ne t e co pilation function, e introduce t o au iliar functions, 
q : pr ss ^ 

is function is provided b t e co piler: a unique labeling of t e e pressions. 
ntr labels of e pressions are deter ined b a recursive function 
r : pr ss ^ 

In t ere aining te t, e use t e folio ing convention: e often rite x.f instead 
of f(a;). unction r is recursivel de ned as folio s. 



r (e : e pression) = 



' e G s q 


t 
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(e.fst- 


pr ss 


s f e G q 
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(e. s- 


- pr ss 


s f e G ss g 
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s f e G f 
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(e. pr ss 


) 




s f e G f 
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e. pr ss 


-s q 7^ 


Pt 


t 


r 
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s f e G pr 
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-s q 7^ 
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) 



) 

) 
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iven t ese do ains and functions, e can de ne t e co pilation function and 
t e entr labels as belo . 



6.2 P t pr ss s 

e CO pilation of e pressions is t e ain part of t e co pilation function, 
e present belo a part of it in order to take t e idea clear. ere is not ing 
CO plicated to t e o itted parts. e ave introduced appropriate co ents 
arked it ’/ /’. 

p pr{e : pr ss , next : ) = 

fe€ r // a at th ariab 
t { k-J sr ( q (e), k- r(e. ,next))} 
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sfeGf pr// first a at th t st th s it h t th r t s 
t p pr(e.t St- pr ss , q (e)) U 

{ k-I s r { q (e), 

k- f( q (e.t St- pr ss ), 



r 


(e.t - pr ss 


), elseLabel)} U 


P 


pr(e.t - pr ss 


, next) U 


P 


pr(e. s - pr ss 


, next) 


s ... 
r 

elseLabel = 

f e. s - pr ss 


= ft next 






s r 


(e. s - pr ss 


6.3 p t 


p c c t s 


r c ur 



e CO pilation of a sped cation is just t e co pilation of its ain e pression. 
e entr label of a sped cation is t e entr label of its ain e pression. 

p p (s : ss p t ) = 
p pr(s. - pr ss , f) 

r p (p : ss p t ) = 
r (s. - pr ss ) 

e CO pilation of a procedure is just t e co pilation of its ain e pression. 
e entr label of a procedure is t e entr label of its ain e pression. 

p r (p : pr r f) = 

p pr(p. - pr ss , f)V 

p G pr r f : r r (p. ) = 

r (p. - pr ss ) 

e si pli ed result of t e co pilation of t e sa pie sped cation (see 
gure 2) it out procedure anoi can be found belo in gure 3. part fro 
t e generated code, t e folio ing equation old: 
sp r (Hanoi) = 

7 : str ct c f r 

In t is section e introduce an abstract ac ine for called , corre- 
sponding to t e bstract ac ine. e intention of our approac is to 

CO pile eac -instruction to a set of ”si pie” instructions, and to 

give t ese ”si pie” instructions a rigorous eaning. ike in [ 7], and [3], e 
present t e de nition of in several steps. In eac step e add so e details 

of a particular aspect of t e language . fter introducing so e basics, e 
present in t e rst step t e se antics of “si pie” pri itives like t e evaluation 
of assign ents. In a second step e add t e eaning of procedure calls and 
returns. In t e last step e add t e distribution to 
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Label Primitive Next Comment 



H 


fun(4,0) 


H 


al 


f4 


H 


assign( ,H ) 


H2 


=4 




H2 


fun( ,0) 


H3 


al 
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H3 


assign( ,H2) 


H4 


= 




H4 


fun( ,0) 


H5 


al 


f 


H5 


assign( ,H4) 


H6 


= 




H6 


fun(4,0) 


H7 


al 


14 


H7 


assign(n,H6) 


H 


=4 




H 


ar(n) 


H9 


al 


/ 


H9 


proc(hanoi,{H ),( , 


, )) und f ha i 


H , ,, ) 



o pilation of p cification Hanoi 

7. s cs 

In t is section e describe o states are reali ed in . snail , a state is 

a apping of variable na es to values. In localit and scope of variables 

are given b a odel in ic variable na es are apped to ( e or ) locati- 
ons containing values. is odel alio s for call-b -value and call-b -reference 
se antics, i.e. procedures can ave reference and value para eters. o t is ai 
e introduce a d na ic do ain for locations and d na ic, controlled 

functions 



: r 

: t ^ 

e use ere and in t e folio ing r , , and r as s no- 

n s for . e use in t e folio ing a static, controlled function 

sp I s r : ^ r , 

ic treats t e sets of pairs returned b t e co pilation functions as a function, 

is is possible since t e co pilation functions al a s co pute a grap of a 

function, urt er ore, e introduce a kind of progra counter, odeled b 

II 

ic returns t e label associated it t e instruction to be e ecuted ne t. 
uring t e d na ic e ecution of a progra inter ediate values can be stored 
at labels, ore precisel , e introduce t e d na ic, controlled function 

for t is purpose. In case of a sequence seq = {I .1 ) of labels e si pi rite 
s{seq) for t e sequence ( (?),..., {I )). 

unction na es are evaluated b a static function t at is provided b t e data 

se antics of t e language. is ould again be part of t e data interface in t e 

case of 



X 
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7.2 p r t s 

In t is section e describe t e se antics of si pie pri itives of . ese 
pri itives are used for t e evaluation of e pressions, assign ents, and conditions. 

e evaluation of e pressions is reali ed b acros and r. ou- 
st ant na es and function na es are evaluated it t e aero . is 

aero requires t ree for al para eters: a function na e / a , a sequence 
of labels ab s, and a continue label t. e intention is t at values stored at 
ah s are e tracted it function . unction / a is evaluated 

it t ese values, and t e resulting value is stored at rr 

{funcName, labels, next) = 

( rr ) := {funcName, s{labels)), 

rr := next 

ariable na es are evaluated it t e aero r in a si ilar a as function 

na es. is aero requires t o for al para eters: a variable na e ar a , 
and a continue label t. 

r{varName, next) = 

( rr ) := ( {varName)), 

rr := next 

ssign ents are evaluated it t e aero ss g . is aero requires t ree 
for al para eters: a variable na e or a , a value label a ab , and a 

continue label t. aero ss g essentiall sets t e value of variable na e 
ar a to t e value stored in ab and ju ps to continue label t. 

ss g {varName, label, next) = 

( {varName)) := {label), 

rr := next 

urt er ore, t ere e ists a aero t ic evaluates conditions, ue 

to its si plicit e o it t e corresponding de nition. 

7.3 r c ur s 

efore e can de ne acros for procedure call and return e ust ave so e 
eans for storing ultiple values of several incarnations of a function, o t is ai 
e introduce fra es ic are organi ed as stacks. e universe r co prises 
at eac point of ti e a nite set of fra es ic initiall contains one ele ent. 

d na ic, controlled function p r :—^r indicates t e current top 
of t e stack. e function pr : r — > r returns for eac fra e its 

predecessor (if t ere is an ). e folio ing d na ic, controlled functions are 
introduced for t e procedure call and return ec anis . e for er function 
corresponds to a kind of return address, t e latter gives t e infor ation at ic 
label t e result of a procedure ust be stored. 
r r : r — > 



r s 



r 
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e c ange t e declaration of function to 
: X r ^ 

is eans e ave to re rite al ost ever rule de ned so far. Instead of doing 
so e si pi state t at ever previous occurrence of f{x) s ould be replaced b 
f{x, p r ), ere / is one of t e functions { , } (cf. gure 4). 

or e a pie, rule r beco es no 

r{varName, next) = 

( rr , p r ) := 

( {varName, p r )), 
rr := next 

aero requires four for al para eters: a procedure na e r a , a 

sequence of labels ab s, a sequence of variable na es or a s, and a return 
label ab . procedure call leads to t e creation of a ne fra e. e ne 
fra e is pus ed on t e stack of fra es, and return-label and result-label for t is 
fra e are set. e ariable bindings are establis ed b a para eter passing 

ec anis or b t e creation of local variables. 

{procName, labels, varNames, label) = 
t r t frame 

s r {frame, label), 

r t r ss g{procName, labels, varNames, frame), 
r t rs{procName,topFrame), 

rr := pr r {procN ame) 

aero s r pus es fra on t e stack of fra es, and updates r r 

and r s 

s r {frame, label) = 

p r := frame, pr {frame) := p r , 

r r {frame) := label, r s {frame) := rr 

aero r t r ss g reali es t e para eter passing ec anis , i.e. it andles 
passing of value and reference para eters. 

r t r ss g{procN ame, labels, varNames, frame) = 
ss f r t rs{procN ame, varNames), 

ss r t rs{procN ame, labels), 

t t g{procN ame, frame) 

aero ss f r t rs as t o for al argu ents: t e procedure na e r a 
and t e sequence of actual reference para eters or o s. is aero reali es 

t e para eter passing ec anis for reference para eters. is eans referen- 

ces of variable na es to locations in current state are c anged appropriate! . 

e use a function rfr:r x to deter ine reference 

para eters. unction |.| denotes t e lengt function for sequences. 
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ss f r t rs{procName, varNames) = 
f r , ...,\varNamesW 

(r f r{procName,i), p r ) := 

{varNames{i), p r ) 

aero ss r t rs creates for eac value para eter a ne location, ac 
label in t e sequence ab s as a value in fra e. e rite si pi ab s{i) 
to project on t e z-t co ponent of t is sequence. e value of a ne loca- 
tion ati is set to t e value stored in ab s and fra e ere i ranges over 
{ , . . . , \labels\}. e location for t e z-t value para eter given b a function 
r : r x — > r is set to a ne location. e assu e t at 

t e si e of ab s equals t e nu ber of value para eters. 

ss r t rs{procName, labels) = 
f r z G { , •■., \labels\} 

t t location 

(location) := (labels(i), p r ), 

( r(procName,i), p r ) ■= location 

et p be a procedure na e. e introduce a static function 
g : r X r r 

ic returns for eac variable na e and eac procedure na e t e na e of a 
procedure to ic variable na e is bound according to t e static scope rules. 

unction : r x r x r ^ evaluates for 

a given variable na e a; t e stack starting it fra in order to deter ine t e 
rst fra e F sue t at t e equation g(x, pr ) = pr (F) olds. e 

d na ic, controlled function pr : r ^ r returns for eac fra e 

t e na e of t e corresponding procedure. 

t (varName,procName, frame) = 
f g(varName,procName) = pr (frame) 

t (varName, frame) 

s (varName,procName,pr (frame)) 

aero t t g saves r o in fra creates a variable binding for t ose 

variables ic are not de ned in t e bod of r a . 

t t g(procN ame, frame) = 

pr (frame) := procName, 
f r varName G r 

f g(varN ame, procN ame) ^ procName 

t (varName, p r ) := 

(varName, procName, p r ) 

aero r t rs creates ne location for local variables associated it a 

procedure or a progra . ocal variables are deter ined b a eans of a static 
function rs : — > -s t. 
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r t rs{name, frame) = 

f r varName € rs{name) 
t t location 

{varName, frame) := location 

aero t r essentiall re oves t e top fra e of t e stack, saves t e result 

according to t e result label, and ju ps to t e return label. 

t r {label) = 

p r := pr { p r ), 

(r s { P r ),pr { p r )) := 

{label, p r ), 

rr := r r { p r ) 



Label 




tat and ontrol Infor ation 



7. str ut 

In t is section e re ne t e de ned so far to a distributed abstract a- 

c ine. e underl ing distribution odel consists of several agents ic e ecute 
t eir progra s and co unicate b eans of s ared variables. e re ne ent 

step is done in a si ilar a as in t e preceding section, na el b c anging t e 

declaration of so e e isting functions, e provide eac agent it its o n pro- 
gra counter, o t is ai e c ange t e declaration of functions rr , 

and p r to 

rr : g ^ 

p r : g —)■ r 

ver previous occurrence of / inside acros s ould be replaced b /( i), 

ere / is one of t e functions { rr , p r }. 
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I t 1 t d c t 

it t e abstract ac ine for being de ned, e can no assign a for al 
se antics to speci cations b associating, it eac speci cation, a set of 

initial states and an progra . lease note t at conceptual! , it is better 
to t ink of progra s, because t e instructions considered ere are 

instructions, or all , t e progra s belo are progra s. 

It t 

In t e odel, t e set of initial states is usuall de ned b constraints 

i posed on do ains, functions, and predicates. ese constraints are required 
to old in t e rst state of eac run of t e abstract state ac ine. Initial con- 
straints are stated b for ulae t at are preceded b t e ke ord initiall , i.e. in 
a propert -oriented st le. 

s it turned out during ork on t e for al se antics, a propert -oriented 
de nition of t e set of initial states, given b t e set of agents, agent 
sets, and link agents toget er it t e initial values of all functions and predi- 
cates de ned on t ese agents is rat er co pie and ard to folio . erefore, a 
different approac as been c osen, ic a be c aracteri ed as a co bination 
of constraints and initial co putations: several (si pie) constraints deter ine 
t e so-called s t f r i itia stat s. e actual set of initial states is deter ined 
b t e initiali ation p ase t at starts in a pre-initial state, and creates a set of 
agents as ell as t e s ste structure. 

o give a flavor of t e approac taken in t e for al se antics, e adapt 
it ere to de ne t e set of initial states associated it an speci cation, 
nullar function 

g 

is introduced to refer to t e pre-initial s ste agent, urt er ore, e de ne 
p p ss p 
p : g ^ ss p 

e set of pre-initial states is de ned b t e folio ing set of constraints (strictl 
speaking, t e set of pre-initial states is t e set of initial states of t e odel) : 

t g ={ } 

t ss I s r = 

U{p G ss p : p. p p } U 
U{gGpr r f:p.pr - 

t . p = p p 

t . rr = P P 

t = I t 

t r = {fs r } 

t . p r = fs r 

e value of t e static function ss I s r is deter ined b t e co pila- 

tion de ned in ection 6. It is t e co plete code of all be avior parts it in 



p r } 

• r p 
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t e speci cation, urt er ore, t e pre-initial values of certain functions are 
de ned. e function p associates it eac agent t e abstract s nta 
description of its speci cation, or agent , t is is de ned b t e nullar 
function p p , t at is, t e ain speci cation. e start label of 

a speci cation is obtained fro t e function r p , as de ned in ection 6. 

inall , t e be avior of agent is deter ined b assigning t e odule 

It , ic deter ines t e steps of during t e initiali ation p ase: 

I t = 

f r p e f. p .ss p -s q 
t g to 

t r t frame 

a. p :=p,a. p r 
a. rr := p. r 

r t rs( f. p .sp - 

f. := 

iring of I t creates, for eac speci cation de ned in t e speci - 

cation of t e current agent, one agent e ecuting t e I t . urt er ore 

local variables of t e corresponding speci cation are created. is leads to 

a recursive unfolding of t e tree of speci cations de ned b t e top level 

speci cation, aero r t rs is de ned in section 7.3. 

In t e se antics, it is i portant t at t e initiali ation p ase is co ple- 
ted before tee ecution p ase starts. is is ac ieved b a ec anis t at 
blocks agents after t eir initiali ation until t e initiali ation p ase as ended, 
or si plicit , e ave not odeled t is ec anis in t e solution presented 
ere. 



:= frame 
p , a. := I t 
, f. p r ) 



.2 cut 



p c c t s 



e e ecution of an speci cation is given b t e folio ing odule: 

= I str t ( f. rr .ss I s r ) 



e evaluation of an instruction is given b aero I str t . epending 
on t e t pe of an instruction a corresponding aero is e ecuted. or e a pie, 
an instruction of t pe ss g leads to t e e ecution of aero ss g as 

illustrated in t e folio ing. 



I str t (p) = 

f ... 

s f p e ss g 

t ssg (p. ,p - ,p. t- ) 

s f p e 

t (p. ,p. - -s q,p.r f- -s q,p. t- ) 
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cl s s 

In t is paper, e ave presented t e transfer ational/operational approac 
ic as been successful! applied to de ne t e se antics of -2 for- 
all . e ave illustrated so e basic tec niques of t e approac using , a 
si pie sped cation language. 

e folio ing topics ave been covered: 

— bstra t a hi e se antics is based on an abstract ac ine. is 

ac ine is an e tension of t e odel and is speci call tailored to ards 

t e needs of t e speci cation tec nique. It introduces an abstract code for t e 
and could t erefore also be used for its i pie entation. e abstract 
ac ine co prises a set a ac ine instructions and t eir se antics as ell 
as so e do ains and functions, n i portant part of t e abstract ac ine 
is t e built-in procedure odel t at alio s for call-b -value and call-b - 
reference para eter passing se antics, urt er ore, t e concept of static 
binding is built into t e abstract ac ine. 

— i ati n progra /speci cation of t e speci cation tec nique is gi- 
ven a se antics b transfer ing it into t e abstract ac ine. is is es- 
sentiall an abstract co pilation function. e co pilation transfer s t e 
do ain of t e abstract s nta trees into t e do ain of abstract ac ine 
instruction sets. e e ecution of t ese sets is t en covered it in t e de- 
scription of t e abstract ac ine. 

— I itia i ati In order to run a speci cation on t e abstract ac ine, a spe- 
cial initial! ation as to be perfor ed. o t is end, t e abstract s nta tree 
is used to deter ine t e internal parts of t e speci cation to be initial! ed. 

ese parts are t en initial! ed as ell. is a , t e initial! ation takes 
care of structural infor ation, ile t e be avioral infor ation is andled 
b t e CO pilation function. e sa e initial! ation be avior could also be 

used for d na ic creation of speci cations. 

e subdivision of t e se antics into t e parts presented above as proved ver 
useful in t e conte t of , as it is essential ere to be able to adjust t e 
se antics to t e develop ent of t e . is is ac ieved b using t o la ers 
of abstraction: ( ) abstract t e concrete s nta into an abstract s nta , (2) 
transfer t e abstract s nta to an abstract ac ine. 

It s ould be noted t at t e for al se antics as been conceived in parallel 
to t e language de nition itself, uring t is process, several substantial c anges 
tot e language de nition, ic turned out to be a ” oving target” , ere ade. 

ese c anges of course affected t e for al se antics de nition, but usuall did 
not tone t e 

inall , it s ould again be stressed t at t e ork reported ere is not an acade ic 
e ercise, but takes place in a real-life, industrial setting. In our opinion, it is 
t is kind of ork acade ic efforts s ould eventuall lead to. e successful 
application of at e atical for alis to real- orld proble s and t eir approval 
b industr is a strong selling point for aving for alis s at all. In t is sense, t e 
ork in progress reported in t is paper is one i portant step in t is direction. 
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c In t is paper, e describe o c cle-accurate processor be a- 
ior ma be efiicienti described using bstract tate ac ines ( s). 

i en a register transfer description of t e target processor, an e trac- 
tion mec anism is described folio ing t e approac in [26] t at e tracts 
so called g ard d r gist r tra sf r att r s from t e processor descrip- 
tion. It ill be s o n t at t ese ma be directl transformed into a set 
of rules ic in turn pro ide an e ecutable model of t e proces- 

sor for simulation purposes. Here, e use t e description language 
from ic t e em- e tool [2] automatical! generates a gra- 
p ical simulator of a gi en arc itecture. e feasibilit of t is approac 
is demonstrated for an microprocessor. 



i i 

r as such as digital sig al proc ssi gad proc ss co trol hav brought up 

ki ds of proc ssor archit ctur s hich ar d dicat d to th ir sp cific ds a d 

fr qu tl call d Is (applicatio -sp cific i structio s t proc ssors). am- 
pl s ar digital sig al proc ssors ( s) a d micro-co troll rs. sp ciall i th 
ar a of mb dd d s st ms, ffid c of both th archit ctur a d th compil r 
for cod g ratio is of utmost importa c . 

H c , a ra d ali g ith th probl m of simulta ousl d v lopi g 

proc ssor archit ctur a d compil r has just m rg d- archit ctur a d compil r 
co-d sig . 

Hr, d scrib a m thod that starts ith a tractio m thod folio i g 
th approach of up rs [26] that abl s a ffid t d scriptio a d trac- 
tio of th i structio s t of a giv r gist r tra sf r d scriptio of th targ t 

archit ctur . h i structio s t of a proc ssor ma b d scrib db astof^- 
ar r gist r tra sf r ott r s. H r , th s patt r s ar tra slat d dir ctl i to 
a s t of ur vich’s [ 7] (abstract stat machi ) rul s, a mod 1 for parall 1 
computatio that has air ad b id 1 us d for d scribi g th s ma tics of 
as 11 probl m-ori t d la guag s (lik [ ], rolog [ ], b ro [22], ava 
[3 ]) as hard ar d scriptio la guag s ( .g., b havioral H [ ]). v ral cas 

ur c a . ( ds.): , , pp. 66— 6, 

pr g r- r ag r d rg 
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studi s to d scrib proc ssor archit ctur hard ar ( .g., [7,6], 

microproc ssor [ 9]) hav succ ssfull d mo strat d th capabiliti s of s for 
mod li g th b havior of hard ar a d sho ho thos sp cificatio s ma b 

r fi d, .g., to pr ss pip li i g [ ,5]. 

I [2], 1 astillo a d Hardt us th sp cificatio la guag - for 

mod li g proc ssor b haviors b s. - is th basis of a tool viro - 

m t call d “ h orkb ch” hich supports s ta - a d t p -ch cki g 

of sp cificatio s as 11 as simulatio add buggi g of s. fortu- 
at 1 , 1 astillo a d Hardt do ot sho ho to d riv d scriptio s 

automatical! . o hat isti g studi s of usi g s for hard ar d scriptio 
miss (s [9] for a r f r c bibliograph ), is a s st matics to automatical! d - 

riv d scriptio s from k o mod Is, such as r gist r tra sf r d scriptio s, 

•g., from sp cificatio s ritt i hard ar d scriptio la guag s ( H [ ], 
I [4], [ 4], tc.). 

I th folio i g, list som sig ifica t approach s aimi g at cod g ratio 
for r targ tab! proc ssors. 

— h s st m[26],d v lop d at th iv rsit of ortmu d, aims at 

automatic cod g ratio for fi d-poi t s ith ah d i structio ord 
1 gth. h applicatio program, ritt i a data flo la guag ( ), 

is i t r all r pr s t d b a co trol-/data flo graph, h targ t proc s- 
sor has to b sp cifi d b th us r i th structural hard ar d scriptio 
la guag I [4] . is a furth r d v lopm t of th machi - 

i d p d t compil r [2 ,27] hich g rat s microcod bas do a 

I d scriptio of th targ t archit ctur . 

— h hard ar d scriptio la guag [ 4] d scrib s a proc ssor i t rms 

of its i structio s t. machi d scriptio is orga i d as a attribut 

grammar ith th d rivatio rul s structuri g th d scriptio a d th attri- 
but s d fi i g th i structio s’ prop rti s. 

or , a rath r simpl mod 1 of cutio is propos d: a ru i g machi 

cut s a si gl thr ad of i structio s hich ar h Id i am mor a d 
ar addr ss d via a program cou t r. h la guag p rmits co cis , 

hi rarchical proc ssor d scriptio i a b havioral st 1 . 

— h /I H/ I viro m t [ 3] co sists of th r targ tabl cod g - 
rator , hich us s a sta dard cod -g rator g rator for i structio 

s 1 ctio , a d th i structio s t simulator I H/ I . arg t archit ctur s 
ar d scrib d via , applicatio programs ar giv i a high 1 v 1 la - 
guag . h basic id a of I H/ I is to g rat a si gl -I— I- fu ctio 

for ach i structio of th targ t proc ssor simulati g th impact of th i - 

structio ’s cutio o th proc ssor’s stat .Ho v r, i cas of pip li d 

archit ctur s, this 1 ads to ormous costs b caus th -|— I- fu ctio s hav 
to b copi d for ach pip li stag . 

— oth r tool usi g is H [ 6,25], d v lop d at I i uv , 

Igium, a r targ tabl cod g ratio viro m t for fi d-poi t 

proc ssors. H us s a mi db havioral/structural proc ssor mod 1 sup- 
porti g load/stor archit ctur sad both homog ous a d h t rog ous 
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r gist r structur s. h applicatio is giv as a - or -program a d is 

r pr s t d b a co trol-/data flo graph, h proc ssor d scriptio is r - 

pr s t d b a so call d i structio s t graph co tai i g th r gist r s t a d 
a compact d scriptio of th i structio s t. H supports automatic bit 
alig m t a d g rat s machi cod to b simulat d b th i structio 

s t simulator H K [25]. 

— (/is rth r s arch) [29] us s a mi d 

mod 1 for b havioral/structural proc ssor d scriptio . arg t proc ssors ar 
d scrib d b thr s parat structur s: th s t of availabl i structio pat- 

t r s, a graph mod 1 r pr s ti g th data-path, a d a r sourc classificatio 

that accou ts for sp cial-purpos r gist rs. h hoi fram ork co sists of 
th r targ tabl cod g rator Y a d th i structio s t simulator 

I I . Y tak so or mor algorithms pr ss d i a high-1 v 1 

la guag a d maps th m o to a us r d fi d i structio s t to produc op- 
timi d machi cod for a targ t I or a comm rcial proc ssor cor . 
I I is bas do a r co figurabl H mod 1 of a g ric i structio 

s t proc ssor. u to th us of sta dard H tools, th adva tag of this 

approach is ot th g ratio of highl ffici t cod but th tim savi g 

i proc ssor mod 1 d v lopm t [29] . 

— [24] is a automata-th or tic approach d scribi g th b havior of 

th data-path as t fi it stat achi s hich ar tract d from a 

r gist r tra sf r 1 v 1 d scriptio of th targ t proc ssor bas d o a H 

t mplat . 

I this pap r, sho ho a simulator of a proc ssor archit ctur giv 

ith r a tlist or a graphical d scriptio of its data-path, ma b automatical! 
g rat d as folio s: 

. I str cti s t tracti : si g id as of th ork of up rs [26], th i - 
structio s t of a proc ssor ma b automatical! tract d from a proc ssor 
d scriptio r sulti g i a s t of so call d g ar r gist r tra sf r att r s 

that d scrib th c cl -accurat b havior of th i structio s t archit ctur . 

2. g rati : rom this s t of patt r s, sho that a d scrip- 
tio that also r fl cts th c cl -accurat b havior of th proc ssor ma b 

automatical! g rat d. I particular, pr s t a cod tra slatio m tho- 

dolog that g rat s a d scriptio i to th la guag [ ]. 

3. i at r/ b gg r rati : I th last st p, th isti g simula- 
tio a d protot pi g viro m t m- [23] is us d i ord r to g rat 
a simulator/d bugg r for this . ajor adva tag of usi g this m tho- 
dolog is its fhci c i th umb r of simulatio c cl s p r s co d that 
ma b obtai d for simulati g th cutio of a microproc ssor. 

4. ric i ati r : oth r highlight of our approach is that th 

fu ctio al b havior of i structio s of ma diff r t umb r r pr s tatio s 

a d ord-1 gths ma b co sid r d usi g a arbitrar pr cisio i t g r 

gi • 
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simple processor arc itecture 



5. ibrar has c ti g gz : as d o th abov simulatio cor , a li- 
brar of g ric i structio s i cludi g arithm tic, tra sport op ratio s, a d 
umb r CO V rsio s cou t r d i almost a microproc ssor is support d. 

ric scrip i srci s isr 

r s r r s 

uri g th cutio of a machi i structio , s v ral r gist r tra sf rs ma tak 

plac . I [26] , th s t of th s r gist r tra sf rs is r pr s t d b so call d r gi- 
st r tra sf r att r s { ) hich ar t at s of r gist r tra sf rs. r gist r 

tra sf r { ) i tur r ads i put valu s from r gist rs, m mor c 11s, a d/or 

i put ports, p rforms a computatio , a d assig s th r suit to a d sti atio . 

hat a , a r fl cts th capabiliti s of th data-path of a microproc ssor 

u d r qu stio . 

a . ig. sho s th archit ctur of a simpl proc ssor co sisti g of its 

CO trol- a d data-path. I sta ds for i structio ord, i d ot s a i put port, 
ad d ot (scalar) r gist rs. a d I d ot m mori s h r I 

is th i structio m mor . h t rms i par th s s (/iz: ) d ot th r sp ctiv 
bit i d subra g of th i structio ord I. 

iv a proc ssor ith a s t of r gist rs REG, a s t of m mori s MEM, a 
s t of i put ports P/AT, a d a s t of output ports Pout, giv th folio i g 

d fi itio s hich ar clos to up rs’ [26]: 

i i ( pr ssi ). r gist r tra sf r ( ) r ssi is ith r 

— a hi ar c sta t B , } 
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— a sea ar r a acc ss readr(r) r readp{p) ith r REG,p Pin 

— a i r a acc ss readm{m, a) h r a is a r gist r tra sf r r ssi 

a m MEM 

— a c r ssi op{e , • • • , Ck) hr op is a rat r f arit k 

a e , . . . , Ck ar r ssi s r 

— as bra g r ssi e = e.{hi : lo) h r e is a r ssi a 

{hi : lo) t s a bit i s bra g . 

ii ( siai). r gist r tra sf r ( ) sti ati is ith r 

— a sea ar rit acc ss writer{r) r writep{p) ith r REG,p Pout t 

— a i rit acc ss writem{m, a) h r a is a r gist r tra sf r r s- 

si a m MEM. 

ii 3( a r). r gist r tra sf r att r ( ) is a air {d, e) 

hr d is a r gist r tra sf r sti ati a e is a r gist r tra sf r r ssi 

h s t of s of a proc ssor u d r co sid ratio ma b tract d automa- 
tical! b trav rsi g th sig al paths from a arbitrar sourc to ach d sti atio 

d of th targ t archit ctur hich ar cutabl i o machi c cl . 

a . I ig. 2, th data-path of a simpl proc ssor is sho . h s 

that rit R5 REG ar giv b th s t: 

{writer{R5), +{readr{R ), readr{R3))), {writer {Rb), +{readr{R2),readr{R3))), 
{writer {R5),+{'f'^(^dr{R ),readr{R4))), {writer {R5), +{'feadr{R2),readr{R4))) . 

I g ral, if r gist r hi s ar th sourc a d targ t of a i structio , th 
umb r of s ma b rprs tdb t mplat s, h c , o 1 o is 

d d for a class of targ ts, .g., a r gist r hi . 

rom a hard ar -ori t d poi t of vi , r gist r tra sf rs tak plac duri g 
th cutio of ach machi c cl . h cutio of a particular r gist r tra s- 

f r, ho V r, d p ds o th co trol-path a d th machi stat . h r for , ach 

is coupl d ith a co ditio for its cutio , a so-call d r gist r tra sf r 

c iti { ) . 

pical CO ditio s for th cutio o a ar 

— static CO ditio s, .g., co ditio s i volvi g co ditio cod , mod r gist rs 
MR REG, a d i structio bits: 

h mod r gist r variabl s ar d fi d as th s t of ool a variabl s 
MRV = y , }]k ,■ ■ ■ ,width{p) - )}} 

fi MR 

ith width{p) d oti g th idth of th mod r gist r /i, th i d k d o- 

ti g th k-th bit positio of th mod r gist r p. 

I structio bit variabl s ar d ot d b : 

IBV= Ik h , ,■■■ ,Lw- }} 

ith Lw d oti g th proc ssor’s i structio ord 1 gth a d A: i dicati g 
a sp cifi d bit positio . 




escription and imulation of icroprocessor Instruction ets sing 



s 



27 



databus 




imple data-pat from ic s ma be e tracted. /.( ) — 7.(3) denote 

corresponding bits of t e instruction ord 7 of t e control-pat 



— a zc (ru -tim ) co ditio s, .g., th qualit oft or gist r co t ts. t 
COMP d ot th s t of all compariso s p rmissibl o a proc ssor, i. 
th s t of pr ssio s of th formop(e, e) h r op =,=,<,>, , } 

is a compariso op rator. h d amic co trol variabl s ar d fi d as: 

DCV = 77c -Dc , };c COMP} 

i i 4 ( i i ). r gist r tra sf rco ditio ( ) is a 

a f cti F , } th s t f a ariab s IBV MRV 

DCV ith K = IBV MRV DCV . 

r gist r tra sf r is cut d if a d o 1 if its valuat s to true for a 

giv machi stat . ith th co c pt of s, ca co sid r a proc ssor as 
a machi hich i v r co trol st p cut s th sam s t of parall \ g ar 

rati s, ach of hich has th form 

IF <register_transf er_condition> THEN <register_trEuisf er_pattern> 

I g ral, s ma b arbitrar combi atio s of static add amic co - 
ditio s, a d th r for ma b co sid rabl compl . 

i i ( uar gis rrasfra r( ))• 

is a air {F, T) h r F is a a T is a 
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o , i str cti s t tracti is th task of computi g all s for a 

giv proc ssor. or a computatio al proc dur for i structio s t tractio , 
up rs us s a i t r al graph data structur that is g rat d from a I 
tlist of th proc ssor, s [26] for d tails. r cursiv 1 trav rsi g this graph, 
th compl t s t of s ma b tract d ffici tl . 

s captur all i formatio r quir d for cod g ratio . s r pr s t 
th s that a proc ssor ca cut , hil s r pr s t th r quir d machi 
stat i t rms of partial i structio sad mod r gist r stat s, as 11 as possibl 
d amic co ditio s. 

a 3.0 sid r agai th simpl data-path sho i ig. 2. I sta ds for 
i structio ord. ad 2 d ot mod r gist rs. uppos a t to 

a al th for ” 5:= 2 + 3” . outi g th valu of 2 to th 1 ft 

i put of modul via multipl rs , 2 ca b r ali d b co trol 

cod s Mmr = a d I.( ) = . s tti g Mmr = , th co t t of 3 is 

s itch d to th right i put of . urth rmor , loadi g 5 ith th r suit of 
th fu ctio al u it ca b abl d b s tti g I.( ) = . h corr spo di g 

is 

F = /.( ) • /■( ) ■ Mmr -Mmr 

h r ists also a alt r ativ rout for tra sportatio of 2 to : If bus 
driv r is activat d b s tti g 1.(2) = , a d 2 pass s its right i put 

(I.( )= ), th th valu of 2 is rout d via databus. pot tial bus co flict 

ds to b avoid d b s tti g driv r 2 to a tristat mod (1.(3) = ). h 
CO trol cod s I.( ) = ad Mmr = r mai u cha g d. hr sulti g is 

F =/.( )•/.( )-/.(2)-7.(3)-MMfl 

i c F a d F ar alt r ativ co ditio s for th sam op ratio , obtai th 

((F F ),i?5 := F2 + F3) 

i g f uar gis r ra sf r a r s 

pa us 

I math matics, domai s, fu ctio s, a d r latio s co stitut hat is call d a 
str ct r . tructur s ithout r latio s ar traditio all call dag bras. s - 
qu tial i g ag bra, or o call d (abstract stat achi )[ 7], ca 
b dfi db astof tra sitio rul s 

IF <Cond> THEN <Updates> 

ot that this formula air ad looks v r much lik a i cas Cond is 

a ad Updates is a • I g ralj Cond ma b a arbitrar bool a 

ort e pression for t e {writer{R5),+{readr{R2),readr{R3)). 
in t e folio ing, also called i rs s [ 7] 




escription and imulation of icroprocessor Instruction ets sing 



s 



273 



valu d pr ssio (first-ord r logic formula) a d Updates is a fi it s t of updat s 
to b d scrib d lat r. 

ti op ratio al s ma tics of a ma b d scrib d as folio s [ 7]: h 

ff ct of a tra sitio rul h appli d to a alg bra A is to produc a oth r 
alg bra A hich diff rs from ^ b th valu s for thos fu ctio s at thos 
argum ts h r th valu s ar updat d b th rul . If Cond is tru , th rul 
ca b cut d b simulta ousl cuti g ach updat i th s t of updat s. 
I ord r to u d rsta d this, hav to look at th d fi itio of (fu ctio ) 
updat s b caus th s ar th m cha ism b hich th d amics of arbitrar 

s st ms ca b plicitl d scrib d. 

ii 6(uci pa). t f t a arbitrar n—ar f cti 
a t • ,tn t a s q c f ara t rs. h a f cti at 

f{t 

s ts th a f f at {t ,■■■ , t„) t t. 

s alio fu ctio updat s ith arbitrar fu ctio s / a d pr ssio s ti,t 
of a compl it or 1 v 1 of abstractio . u ctio s hos valu s ca cha g ar 

call d a zc i CO trast to static fu ctio s hich do ot cha g . 

a 4- gai 5 CO sid r th guard d r gist r tra sf r patt r ( ) 

((F F),R5:=R2 + R3) 

from ampl 3 ith 

F = /.( ) • /■( ) ■ Mmr -Mmr 
F =/.( )•/.( )-L{2) ■!.{?>) - Mmr 

his patt r ma b possibl d scrib d b th folio i g guard d fu ctio updat 

IF F F THEN contents{R5) := contents{R2) + contents{R5) 

i hich th s t of r gist rs ma b mod 1 d b a i rs REG a d th fu ctio 
contents : REG WORD mod Is th for rit (r ad) dp di g o 

h th r th pr ssio contents(Ri) sta ds o th 1 ft ha d sid or right ha d 

sid of th updat . H c , 5 := 2 + 3 i ampl 3 r ads th co t ts of 

r gist rs R2 a d R3, adds th s valu s, a d rit s th sum i to r gist r R5. 

I ampl 4, hav s that a guard d r gist r tra sf r patt r ( ) 

aturall corr spo ds to a guard d updat rul . 

I t rms of rul s, a block of updat rul s is its If a rul . H c , i a 
giv stat , th updat s of all rul s hos guards valuat to tru , ar cut d 
simulta ousl . 

H c , th s s ma tics aturall d scrib a si gl -clock hard ar impl m - 

tatio : I ach clock c cl , all co ditio s (th s ar r gist r tra sf r co ditio s) 

ar valuat d. imulta ousl , th combi atio al circuits valuat th t rms th 




274 . eic , . . Kutter, and . eper 

comput (th s ar pr ssio s) . t th d (or b gi i g) of ach clock c - 

cl , th stat of th s st m, as r pr s t d b th co t ts of th r gist rs a d 

m mori s, is updat d. his is r pr s t d b guard d updat s i hich th fu - 
ctio s corr spo d to d sti atio s. d scriptio of a i structio s t 

simulta ousl d fi s a it rpr t r for th i structio s t. 

ric r c ss r im i - i r r im i 

r 

I this s ctio , it is our purpos to pr s t a s t of c ssar u iv rs 

a d fu ctio d fi itio s that ar d d for d scribi g umb r r pr s tatio s, 
i t rco ctio s, r gist rs a d m mori s, tc. g ricall . 

or fu ctio al simulatio , mai tai a librar of bit-tru arithm tic fu - 

ctio s that ma b us d to simulat arbitrar archit ctur s. d fi a si- 
mulatio gi bas d o arbitrar ord-1 gth i t g r op ratio s such that 

for diff r t umb r s st ms, ord-1 gths, a d ord r pr s tatio s ( .g. littl 
V rsus big dia ), o 1 t o fu ctio s that co v rt a umb r i to a i t g r, 

a d, aft r simulati g a op ratio , back to its umb r r pr s tatio , hav to 

b ritt o c . 

3. pi g a u pi g 

Hard ar t picall op rat so bu dl s (v ctors) of ir s, also t rm d bit- ct rs 
or bit-stri gs i hard ar d scriptio la guag s such as H .hr for , it is 
c ssar to d fi a, si i rs call d BIT , } h r a d d ot 

th um ric valu s that usuall associat ith th ool a valu s false a d 
true, r sp ctiv 1 . 

ith ( ) d ot th u iv rs of all , }-bit-v ctors of 1 gth . 

WORD{n) = w w , }";n I } 

h sam otatio is us d for r gist rs from th u iv rs REG a d m mori s 
from th u iv rs MEM i cas th hav to b disti guish d b diff r t 
ord-1 gths. or ampl , 1 t REG{ 6) d ot th subs t of r gist rs havi g a 
ord-1 gth of 6 bits. 

or th r aso ould lik to pr s t proc ssor archit ctur s i d p d t 

from th umb r r pr s tatio us d ( .g., sig d, o ’s or t o’s compl m t, 
tc.), i troduc a fu ctio ^ 

val : WORD{t) INTEGER 



In case all ord-lengt s are equal for all memories and registers, e ill omit t e 
inde n for s ort. 

Ho e er, e ill restrict oursel es in t is paper to fi ed-point arit metic. 
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that r tur s th valu of a ord i th corr spo di g umb r s st m a d its 
i V rs 

val~ : INTEGER WORD{t) 

3. ig iaia us 

combi atio al modul ith n I puts i , • • • , a dm utputs o , • • • , ma 
b d scrib d b a (v ctor-) fu ctio 

E i * * • iji o • • • OjYi 

H r , t , • • • , ar ach i puts of a subs t of WORD, a d o , • • • , Om ar ach 
outputs of a subs t of WORD. I a giv umb r s st m, th valu val{oj) of 
ach output Oj,j= ,■■■ ,m ma b giv i t rms of th valu s of th i puts 
of F b quatio s of th form: 

val{oj) = Fj{val{i ),val{i ),■ ■ ■ ,val{in))- 



3.3 i g gis rs a ri s 

h mod 1 for r gist rs (u iv rs REG) a d m mori s (u iv rs MEM) has 
air ad b sho . h co t ts of r gist rs ar mod 1 d b u ar fu ctio s 

contents : REG{n) WORD(n) 

for ach ord-1 gth n INTEGER, or m mori s, th i d d acc ss fu c- 
tio s 

contents : MEM{n) INDEX WORD{n) 

ar d fi d for ach m mor m MEM{n) h r INDEX is d fi d ov r th 
u iv rs , • ■ ■ ) size{m) — } a d th fu ctio 

size : MEM{n) INTEGER 

d oti g th si of m mor m MEM(n) giv i t rms of th umb r of 
ords of t p WORD{n). 

3.4 i g I rc c i s 

It r mai s to sho ho to mod 1 i t rco ctio s, ho to tract sub ords 

out of ords, ho to m rg ords to larg r ords, a d ho to cop bu dl s of 
sig als. 

or non-redundant number s stems (e.g., t o’s complement), t e representation of 
a alue value INTEGER b a bit- ector of lengt n is unique. In case t e 
conflict of number representation for t e number can be uniquel resol ed, also 
non-redundant number s stems sue as one’s complement and sign-magnitude re- 
presentations ma be dealt it . 
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iv a 1 m t w WORD{n) th fu ctio bit of th form 
bit : WORD{n) INTEGER BIT 

r tur s th fth bit b of w — or 6 = bit{w,i) (or simpl b = w.{i)) — such 
that val{b) = val{bit{w,i)) i cas t < n, a d is u d fi d Is . 

I ord r to compos arbitrar v ctors of bits, i troduc a fu ctio to 
mod 1 th tractio of sub ords from a ord, a d thus r ali th pr ssio 
e = e.{hi : lo) 

extract : WORD{n) INTEGER INTEGER WORD{m) 

h r 

e = extractive, hi, lo) 

r tur sa ord e of ord-1 gth m = hi — lo+ i cas lo /it < n that satisfi s 
i ,hi — lo} : val{e .(/)) = val{e.{i + lo)). Is it is u d fi d. 
or ov r, th fu ctio 

merge: WORD (n) WORD{m) WORD{n + m) 

or c = merge{a,b) alio stomrg t o ords a WORD{n)a, d6 WORD{m) 

to form a compos d ord c + m) that satisfi s i }: 

val{c.{i)) = val{a.{i)) Bi, d i n,---,n + m— } : val{c.{i)) = val{b.{i — n)). 
i all , d fi th fu ctio 

split : WORD{n) WORD{n) 

that alio s to cop sig als: b = split (a) ith a WORD{n) a, db WORD{n) 
i } : val{b.{i)) = val{a.{i)). 

a . ts CO sid r ig. 3 h r a bu dl of ir s is group d from a 

sig als b WORD{6), a WORD{ ), a d 5 1 adi g ros i to a 6 bit sig al 

c WORD{ 6). si g rg a d tract, this groupi g ma b fu ctio all 

d scrib d as folio s: 

c= merge{merg e{extr act {b,f),'d), extract {a, , )),merge{extract{a,l , ),zero)) 



3. arg aii uip u rss 

I th folio i g, assum that BIT = WORD{ ) , } is mod li g th 

ool a valu s of false a d true, r sp ctiv 1 . 

bit-v ctor X WORD{n) r pr s ts a bi ar v ctor of 1 gth n. his is 

a ord r d s qu c of th form {xn- Xn- • ■ ■ x x ) hr th Xi = bit{x, i) 
ar th bits (also call d digits). hav i troduc d th fu ctio val r tur i g 
th valu of a bit-stri g. I t tio all , this has b do i d p d tl from 
th b r s st us d, .g., -r at ight , a d siti a umb r 
s st ms. ur i t tio is to simulat proc ssor archit ctur s bit-tru at a high 
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ample of e tract and merge of signals 



1 V 1 (i. -1 V 1) of abstractio , fast a di d p d tfromth umb r s st m 

of th archit ctur s’ arithm tic-logical u its. 

h r for , impl m t a simulatio gi that comput s fu ctio s bas d 
o (arbitrar lo g) i t g r r pr s tatio s for impl m tatio of highl compl 
arithm tic fu ctio s, a d us th t o fu ctio s 

val : WORD{n) INTEGER a d val~ : INTEGER WORD{n) 

to CO V rt umb rs from diff r t umb r s st ms. 1 th s t o fu ctio s 
hav to b impl m t d to r targ t th simulator to a diff r t arithm tic um- 
b r s st m, s ig. 4.® h fu ctio s val, r sp ctiv 1 val~ ar th it rfac s 

of th i t g r gi to a proc ssor ith a diff r t umb r r pr s tatio a d 

ord-1 gth. ot that i som cas s, it ma b mor co v i t to p rform op - 

ratio so th valu s of tract d sub ords ( .g. si gl bits) of op ra ds usi g 
extract ad ot o th valu s of th compl t op ra ds. 

I [3 ], d tails ar giv for th d fi itio of th fu ctio s val a d val~ for 
t pical umb r s st ms us d i comput r s st ms. 

I th folio i g ampl , it is sho ho at pical op ratio oft o op ra ds 

is simulat d g ricall usi g th abov r targ tabl simulatio gi . 

a 6. t c = op{a,b) ith a WORD(n),h WORD(m), a d c 
WORD{q) d ot a arbitrar op ratio ith t o op ra ds a a d &. h fu - 
ctio op is valuat d as folio s: 

. comput val{a) bas d o its ord-1 gth n; 

2. comput val{b) bas d o its ord-1 gth m; 

3. calculat val{c ) i t rms of val{a) a d val{b) accord! g to op; 

ote t at t e ie s o n is completel opposite to t e ie one as en simulating 
ard are. e user (en ironment) t inks in terms of alues (e.g., integers) ereas 
internail , t e ard are reali es operations on bit- ectors in a binar number s stem. 
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z (WORD(q)) 

oncept of a retargetable simulation engine 



4. 1 t val{c ) := val{c ) mod 2'^ (tm catio to r suit ord-1 gth d fault);^ 

5. 1 t c = val~ {val{c )). 

I cas n = m, th abov t sio of th umb r r pr s tatio might b 

c ssar i hard ar , ho v r ot i our simulatio gi as th fu ctio op 

is g ric. uch a op ratio is t pical for arithm tic computatio . 

I [3 ], pr s t a catalogu of sta dard computatio s ( .g. logical a d 
sta dard arithm tic op ratio s) that hav b impl m t d i th librar . 

4 ir m r r c ss r im i 

i si 

I this s ctio , sho ho th mplar d scriptio of th [ 5] micro- 

proc ssor is d riv d usi g th abov m thodolog , ho th i structio s t ma 

b simulat d, a d ho ass mbl r programs of this proc ssor ma b d bugg d. 

h motivatio of th folio i g -proc ssor cas stud is a ha d ritt 
-d scriptio as giv i [ 9,2 ]. I our m thodolog , a corr spo di g 
d scriptio ill b obtai d b i structio s t tractio ad g ratio 
from a tlist or graphical d scriptio of th ’s data-path. 

I ctio 4. sk tch th archit ctur of th proc ssor a d sho 

ho its d scriptio is impl m t d usi g th la guag 

I additio to t ri g th rul s, had to impl m t th librar 

of arithm tic a d logical fu ctio s d scrib d i ctio 3. h s fu ctio s ar 
impl m t d i adit rfac d to . urth r, a pars r both for ass mbl r 



ifferent ot er be a iors like rounding etc. ma be andled similarl . 
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re itecture of t e processor 



cod a d bi ar cod as ritt usi g th isti g pars r support of 

om d tails ar giv i ctio 4.2. iv th sp cificatio , th m- 

tool [2] g rat s a graphical d bugg rad simulatio tool, s ctio 4.3. 

4. r c ss r 

h 2 roc ssor of a c isc achi s [ 5] is a 32 bit microproc ssor 

archit ctur ith a s t of 6 r gist rs, s igur 5. h d dicat d r gist r 5 
CO tai s th program cou t r ( ) a d status flags, 4 is r s rv d for th r - 

tur addr ssofbra chi structio s. hr gist rs to 3 ar g ral purpos 
r gist rs. 

h proc ssor supports a thr stag d pip li . I structio s ar dispat- 
ch d i thr phas s: uri g th first phas i str cti f tch, a i structio is 

f tch d from th i structio m mor , i th s co d phas c , th i struc- 
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tio is d cod dad assig d to th r sp ctiv cutio u it. uri g th phas 
c t , th i structio ill b cut d a d th r suit ill b stor d. 

ca thi k of th s phas s as b i g cut d s qu tiall , but i fact th 
archit ctur has parall 1 logic for all thr phas s, so i a stabl pip li stat , 
th proc ssor is abl to cut thr op ratio s of a machi program i 

parall 1. I [ 9], a simpl -mod 1 of th microproc ssor for s qu tial 

cutio mod is giv a d st p is r fi d to a mod 1 cuti g th stag s i 
parall 1. h corr ct ss of th r fi m ts is prov 

start d b t ri g th sp cificatio s of th diff r t r fi m ts, a d 

d bugg d th m. h disadva tag of co sid ri g s v ral r fi m ts simulta- 

ousl is that it is almost impossibl to mai tai all v rsio s if cha g s must 
b mad . hus, d cid d to i t grat th diff r t mod Is i to o mod 1 that 

ca b tra sform d i to a of th r fi m ts b cha gi g som macro d fi- 

itio s. his V rsio ofth d scriptio is giv i [2 ]. p di g o th bool a 
valu of th macro PIPELINED, ith r th stag s ar cut d s qu tiall or i 
pip li d mod .1 s qu tial mod , a ullar fu ctio 

function Stage 

is us d. h valu s of Stage ar f tch, d cod , or cut .1 s ta , th 

thr CO sta ts ca b i troduc d b um ratio : 

universe STAGES = {fetch, decode, execute} 

h CO trol structur simulati g both th s qu tial a d th parall 1 cutio of 
stag s is structur d as folio s. ssum , code [Contents (PC)] f tch s th curr t 
i structio from m mor . 

if PIPELINED or Stage = fetch then 
Instr := code [Contents (PC)] 
if PIPELINED then 

Decodelnstr := Instr 
else 

Stage := decode 
endif 
R_FETCH 
endif 

if PIPELINED or Stage = decode then 
if PIPELINED then 

Executelnstr := Decodelnstr 
else 

Stage := execute 
endif 
R_DEC0DE 
endif 

if PIPELINED or Stage = execute then 
if PIPELINED then 
else 
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Stage := fetch 
endif 
R_EXECUTE 
endif 

I pip li d mod , all thr parts of th rul ar cut d i parall 1, oth r is 
th parts ar cut d s qu tiall i c die mod . 

I th thr r mai i g rul s R_FETCH, R_DEC0DE, a d R_EXECUTE of th com- 
pl t d scriptio ot giv h r , th activ i structio s must b acc ss d 

b thr macros d fi d as folio s: 

#define FETCHINSTR Instr 

#define DECODEINSTR (if PIPELINED then Decodelnstr else Instr) 
#define EXECUTEINSTR (if PIPELINED then Executelnstr else Instr) 

If th s macros ar us d to r f r to th i structio , almost th compl t fu ctio- 
alit of th rul s R_FETCH, R_DEC0DE, a d R_EXECUTE cabdfi didp d t 
of h th r th stag s ar cut d i parall 1 or s qu tiall . 

I ord r to mak th d scriptio r targ tabl to oth r archit ctur s, us d 
th -librar of ctio 3. h adaptio to our m thodolog i volv d mai 1 
th adaptio of th sig atur . h structur of th rul s r mai d u cha g d. 



4. ars r ra i f r ss r a i ar 



provid s a umb r of built i co structs for g rati g a pars r. h 
mai structur of th ass mbl r pars r starts ith th d claratio of a list of 
i structio s, s parat d b s micolo s. 

nonterm ARMcode [Instruction] ; 
base Instruction 
cont ARMcode ' ' ; > ’ Instruction 
endnonterm 

I structio s ar alt r ativ 1 alu-, bra ch-, si gl tra sf r-, or multipl tra sf r 
i structio s. I this alt r ativ is ritt as 



nonterm Instruction = Alulnstr I Branchinstr I 

SingleTransf erinstr I MuItipIeTransf erinstr 



endnonterm 

i all , th s ta of si gl i structio s is giv , for i sta c for a bra ch: 

nonterm Brauichlnstr ::= ‘'B’’ (Iink=)b_Iink (cond=)Conds 

(adr=) address; 



R 

endnonterm 
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6 esignflo from arc itecture description and program input to simulation 



h r i th rul R o ca acc ss th compo ts of th bra ch i structio 

as link, cond, a d adr. I th rul R c rtai i formatio s about th i structio 
ar pr comput d. 

If a furth r a al sis of th cod is d sir d, .g. a abstract v rificatio of 
c rtai prop rti s, th o tag s [3] support of m- ca b us d. r - 
strict d th us of m- to th g ratio of graphics for simulatio a d 
d buggi g. 



4.3 iuai f rcssr 

I igur 6, displa th d sig flo from archit ctur d scriptio a d pro- 
gram i put to simulatio . rom a graphical d scriptio of th archit ctur , th 

d scriptio is tract d a d th tra sform d i to rul s. h upp r 
1 ft part sho s th tra sformatio from th archit ctur d scriptio i to 
cod r sulti g i a hi . asm. h upp r right part displa s th i put of 

th simulator’s algorithmic load hich co sists of a applicatio program rit- 

t i ass mbl r otatio , th hi t stprg.ass. h -compil r tra slat s 
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7 ebugging of a program using t e em- e n ironment 



th archit ctur d scriptio i to -cod a d calls th gcc-compil r to compil 

th s -fil s. h r b , th -librar of arithm tic fu ctio s d scrib d i ctio 

3 is 11 k d. s a r suit, a cutabl is g rat dad hich i t racts ith 

g ric cl/ k scripts provid d b th m- simulatio add buggi g 

viro m t . h visual asp cts of th simulatio add buggi g viro m t ar 
sho at th bottom of th figur . 

igur 7 displa s a s apshot of a simulatio ru both of th pip li d (top) 
a d th s qu tial (bottom) impl m tatio . h algorithmic load r sp ctiv 1 
CO sists of a small ass mbl r program, s igur 

H r , aft r i st ps, th s qu tial impl m tatio has r ach d th d of 

a cutio phas a d s ts th Stage flag to fetch i dicati g that th t 

op ratio has to b a f tch op ratio . h parall 1 impl m tatio o 1 ds 

thr c cl s to r ach th sam machi stat du to pip li i g. h right ha d 

pictur sho s th co t ts of th r sp ctiv r gist r fil . 

c si s 

I this pap r, pr s t fou datio s for th simulatio of a proc ssor archi- 
t ctur a d its i structio s t giv th s ta of th i structio a d ith r a 
tlist or graphical d scriptio of th archit ctur ’s data-path. 

major adva tag of our approach ith r sp ct to oth r approach s is that 
th -formalism its If is suit d for archit ctur d scriptio . h g rat d 

s ca thus s rv as additio al docum tatio . ha g s ma b mad di- 

r ctl at th 1 V 1 a d th corr spo di g cha g s i th tlist/graphical 

d scriptio ca b r g rat d. 
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e application program in assembler language 



urth rmor , pr s tarn thodolog for g ric proc ssor simulatio that 

is i d p d t of a proc ssor’s sp dfic param t rs lik i structio ord 1 gth 
a d umb r r pr s tatio . I ord r to accomplish this, build a librar of 
bit-tru arithm tic fu ctio s a d co struct a i t g r gi as a simulatio 
cor hich ca b adapt d to almost a microproc ssor b sp cific i t rfac 
fu ctio s. 

Hr, d mo strat th f asibilit of our m thodolog for simulati g a 
r alistic pip li d I archit ctur , th microproc ssor. 
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c gi a bri fori oft m li I sis r t r 

( ) proj ct. is a rification fra ork t at is dir ct d at ana- 

1 ing prop rti s of transition s st s b co bining tools for progra 
anal sis, od 1 c eking, and t or pro ing. is built around a 

s all int r diat languag t at s r s as a s antic r pr s ntation for 
transition s st s t at can b us d to dri t arious anal sis tools. 

h tra sitio s st od 1 of a progra co sists of a stat t p , a i - 

itiali atio pr dicat o this stat t p , a d a i ar xt-stat r latio . h 

X cutio of a progra starts i a stat satisf i g th i itiali atio pr dicat so 
that ach stat a d its succ ssor stat satisf th xt-stat r latio . ra sitio 
s st s ar a si pi lo -1 1 od 1 that ha o of th s a tic co plica- 

tio s of high-1 1 progra i g la guag s. o structs such as ra eh s, loops, 
a d proc dur calls ca od 11 d ithi a tra sitio s st through th us 

of xplicit CO trol aria Is. h tra sitio s st od 1 for s th asis of s - 
ral for alis s for s ral popular for alls s i cludi g I [ 5] , [2 ] , 

[3 ], a d s [2 ]. It also u d rli s rificatio tools such as [3 ], 

urphi [ ], a d [32]. 

If focus our att tio o th rificatio of prop rti s of tra sitio s - 
st s, fi d that this si pi od 1 pos s so s rious chall g s. h 

rificatio of tra sitio s st s is p rfor d sho i g that th s st sa- 

tisfi s a i aria c or progr ss prop rt , or that it r fi s a oth r tra sitio 

s st .It is as to rit out proof rul s for th rificatio of such prop rti s 

ut th actual applicatio of th s proof rul s r quir s co sid ra 1 hu a i - 
g uit . or xa pi , th rificatio of i aria c prop rti s r quir s that th 
i aria t i ducti , i. ., pr s r d ach tra sitio . alid i aria t ight 
d to str gth d for it ca sho to i ducti . air ss co - 

strai ts a d progr ss asur s ha to plo d for d o strati g progr ss 

* is ork as fund d b t f nc d anc d R s arc roj cts g nc und r 

ontract O. 3 6 3-96- - 2 4, and rants o. R-97 23 3 and R- 

95 993 . proj ct is a co bin d ffort b t n RI Int rnational, tanford 

ni rsit , and t ni rsit of alifornia, rk 1 . 

ur c a . ( ds.): , , pp. 7— , 

pr g r- r ag r d rg 
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prop rti s. It tak s a fair a ou t of ffort a d i g uit to co up ith suita 1 
i aria t str gth i gs a d progr ss asur s. 

thods lik od 1 ch cki g [ 3] that ar as d o stat -spac xploratio 
ha th ad a tag that th ar larg 1 auto atic ads Ido r quir th fi - 
grai i t ractio s ith d ducti thods. i c th s thods t picall 
xplor th r acha 1 stat spac (i. th stro g st i aria t), th r is o d 

for i aria t str gth i g. rogr ss asur s ar also irr 1 a t si c th si of 

th hoi stat spac is ou d d. Ho r, od 1 ch cki g thods appl o 1 

to a li it d class of s st s that poss ss s all, ss tiall fi it stat spac s. 

h or pro i g or od 1 ch cki g ar ot th s 1 s ad quat for ff c- 

ti rificatio . It is c ssar to co i th xpr ssi ss of th d ducti 
thods ith th auto atio gi od 1 ch cki g. his a , s all, fi it - 

stat s st s ca dir ctl rifi d usi g od 1 ch cki g. or larg r, possi- 
1 i fi it -stat s st s, th or pro i g ca us d to co struct r rt - 
r s r i str ti s o r a s all r stat spac . uch a stractio s co rt 

data-sp dfic charact ristics of a co putatio i to co trol-sp dfic o s. h 

fi it -stat od 1 co struct d a s of a stractio ca a al d usi g 

od 1 ch cki g. It is as to actuall co put th prop rti s of a s st fro a 

fi it -stat approxi atio ad ap th s prop rti s ack to th origi al s st 

gi a o r i of a o goi g ffort ai d at co structi gag ral 

fra ork for th i t gratio of th or pro i g, od 1 ch cki g, a d progra 
a al sis. us th t r s m i sis to r f r to th i t gratio of th s 

a al sis t ch iqu s si c th all plo r pr s tatio s as d o s olic logic 
to carr out a s olic i t rpr tatio of progra ha ior. h fra ork also 
phasi s sis, i. ., th xtractio of a larg u r of us ful prop rti s, 
or rr t ss hich is th d o stratio of a s all u r of i porta t 

prop rti s. h fra ork is call d th mi sis r t r { ). 

oti at th d for s olic a al sis a d d scri th archit ctur a d 

i t r diat la guag of 

i i p 

us a r si pi a d artificial xa pi to illustrat ho s olic a al sis 
ca ri g a out a s rgistic co i atio of th or pro i g, od 1 ch cki g, 

a d progra a al sis. h xa pi co sists of a tra sitio s st ith a stat 

CO tai a (co trol) aria 1 ra gi g o r th scalar tp i }, adto 

i t g r aria Is ad .1 itiall , co trol is i stat i a d th aria 1 s 

ad ar s t to ro. h r ar thr tra sitio rul s sho lo as guard d 

CO a ds: 

h = i , th is i cr t d to, is s t to ro, a d co trol 

is tra sf rr d to stat 

= i — = + 2] = ] = ; 
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i pi ransition st : os 

2. h = , is d cr t d t o, a d is i cr t d o , 

a d CO trol is tra sf rr d to stat 

= >— = — 2;=+; = i ] 

3. a as tra sitio ml 2, ut co trol sta s i 

= >— = — 2 ;=+; 

h r is also a i plicit stutt ri g tra sitio fro stat to its If h o 
of th guards of th oth r tra sitio s holds, i. h . i c th i stat 

has a tra sitio ith a guard that is al as tru , th r is o d for a stutt ri g 

tra sitio o f . h tra sitio s st is sho diagra aticall i igur 





h tra 


sitio s 


st 


s satisfi s a u r of i t r sti g i aria ts 




is al 


a s a 


u 


r. 


2. 


a d 


ar al 


as 0 - 


gati . 


3. 


is al 


a s ith 


r or 2. 




4. 


is al 


a s i 


stat i 




5. 


is al 


a s ith 


r or . 





6. I stat , = 2 iff = . 

h purpos of s olic a al sis is to fi da d alidat such prop rti s ith 

a high d gr of auto atio ad i i al hu a guida c a d i t r tio . 

hil fhci t auto atio is ss tial for a al i g larg tra sitio s st s, 

th i t d d outco of s olic a al sis is hu a i sight, h a al sis should 

th r for ot rul out hu a i t ractio . 

ic sis c iq s 

u rat so s olic a al sis t ch iqu sad ass ss th ir utilit o th 

s xa pi . or this purpos , focus o th i aria t ( ) lo . 



V =2 
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ot that th tra sitio s st s is a pot tiall i fi it stat s st si c 

aria Is ad ra g o r th i t g rs. 

o ath atical pr li i ari s ar i ord r. tra sitio s st is gi 
a pair Ip p co sisti g of a i itiali atio pr dicat o stat s Ip, a d a 
i ar xt-stat r latio o stat s p. co strai th xt-stat r latio 
to total so that s : s : {s s). h ta aria 1 s s, s ra g o r stat s. 

tr at a s t of stat s as qui al t to its charact ristic pr dicat . h ool a 

CO cti s , V, , ar lift d fro th ool a s to th 1 1 of pr dicat sad 

corr spo d to th s t-th or tic op ratio s , , a d , r sp cti 1 . ass rtio 

is a pr dicat o stat s. h ta aria Is, ra g o r ass rtio s. pr di- 
cat tra sfor r is a ap fro pr dicat s to pr dicat s. o oto pr dicat 

tra sfor r r pr s r s th su s t or i plicatio ord ri g o pr dicat s so that 
if , th r( ) r( ). h fix d poi t of a o oto pr dicat tra sfor r 
T is a ass rtio such that t{ ). s a co s qu c of th arski-K ast r 
th or , r o oto pr dicat tra sfor r has a 1 ast fix d poi t If (r) 
a d a gr at st fix d poi t / (r) such that 

If (r)=T{lf (r)) / (r)=r( / (r)). 

t _L r pr s t th pt s t of stat s, th s t of all stat s, a d th s t 
of atural u rs. If th stat spac is fi it , th th 1 ast fix d poi t If (r) 
ca calculat d as 

± V t(_L) V r (_L) V . . . V r”(_L) 
for so , a d si ilarl , / (t) ca calculat d as 

r( ) r ( ) ... r"( ) 



for so 

If T is V-co ti uous (i. ., t{\J^ ^ j) = Vi tj *) that h r 

j, i j), th 

If (r) = V (2) 

i uj 

i ilarl , if r is -co ti uous (i. ., r(/\ ■ ^ i) = Ai uj *) tor j such that 
h r j, j i), th 

f{r)=/\r^{) (3) 

i u) 

quatio s (2) a d (3) pro id a it rati a of co puti g th 1 ast a d gr a- 
t st fix d poi ts ut th s o i fi it -stat spac s, th co putatio s ight ot 

CO rg i a ou d d u r of st ps. 

pical xa pi s of o oto pr dicat tra sfor rs i clud 



tro g st postco ditio of a tra sitio r latio , s ( ), hich is d fi d 
as 

s ( )( ) ( s : (s) (s A). 
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3. 



tro g st postco ditio of a tra sitio s st , s ( ) is d fi 
s { ){) IpVs ( p)( ). 

ak st pr CO ditio of a tra sitio r latio , ( ) is d fi 

( )( ) ( 5 : (s 5) (s)). 



d as 



d as 



ri t r i 

h i aria c rul is th ost h a il us d proof rul i a progra logic [23, 
33]. i a tra sitio s st as a pair Ip p , co sisti g of a i itiali atio 
/p a d a xt-stat r latio p, th i aria c rul usuall has th for : 

(s) (s) 

Ip{s) (s) 

(s ) p(s s ) (s ) 



= i ri t 



I this rul , th 


ass rtio 


is a 


str gth i g of th 


ass rtio 


. uch a 


str gth i g is d d si c 


th ass 


rtio a ot 


i ducti , 


i. ., satisf 


th pr is s Ip{s) 


(s) 


a d ( 


s ) p{s s ) 


(s ). 




I th s xa 


pi , th 


i aria 


t ( ) is ot i ducti 


. It fails 


caus it is 


ot pr s r d tra 


sitio 


si c 


ca ot sta lish 






( 


= i 


( = 


V =2)) 






( 


= i 


= 


-b2 


= ) 




( 


= V 


= 2). 








h i aria t has to 


str 


gth d 


ith th 0 s r atio 


that h 


= * , 


is al as so that it o 


r ads 










= 


= v( 


= i =2). 




(4) 



h str gth d i aria t (4) is i ducti . h d for i aria t str gt- 

h i g i progra proofs is th k disad a tag of th d ducti thods ith 

r sp ct to od 1 ch cki g. uit a lot of ffort is d d to tur a putati 



i aria t i to a i ducti o . c a i aria t has str gth d i this 
a r, it ca co tai a larg u r of co ju cts that g rat a cas xplosio 
i th proof, uch of th focus of s olic a al sis is o suppl ti g d duc- 
ti rificatio ith th a s of auto aticall o tai i g us ful i aria ts a d 
i aria t str gth i gs. 

. u r ti c i 

h arl approach s to od 1 ch cki g r as d o th f asi ilit of co - 
puti g fix d poi t prop rti s for fi it -stat s st s. hr acha 1 stat s of a 
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fi it -stat s ca co put d starti g fro th s t of i itial stat sad xplo- 
ri g th stat s r acha 1 i co s cuti tra sitio s. prop rt that holds 
o all th r acha 1 stat s is a alid i aria t. h r ar a ariatio s o 
this asic th .a od r u rati od 1 ch ck rs such as urphi [ ] 

ad I [24] carr out a d pth-first s arch xploratio of th tra sitio graph 
hil ai tai g a hash-ta 1 to r cord stat s that ha air ad isit d. I 

I , th od 1 ch cki g pro 1 is tra sfor d i to o of pti ss for 

-auto ata, i. auto ata that r cog i i fi it stri gs [3 , 9]. 

I u rati od 1 ch cki g, prop rti s ritt i a ra chi g-ti t 
poral logic ca rifi d i ti proportio al to x hr is 

th si of th tra sitio graph ad th si of th t poral for ula. od 1 
ch cki g li ar-ti t poral logic for ulas is or xp si ad tak s ti 

proportio al to x 2^ hr is th si of th od 1 a d is of th for ula. 

h s xa pi succu s rath r fortuitous! to u rati od 1 

ch cki g. though th pot tial stat spac of s is u ou d d, o 1 

a ou d d part of th stat spac is r acha 1 si c is ith r or 2, a d is 
ith r or . h succ ss of u rati od 1 ch cki g is so hat a o alous 

si c this thod is u lik 1 to t r i at o t pical i fi it -stat s st s. 
o fi it -stat s st s, a u rati ch ck is u lik 1 to succ d caus th 

si of th s archa 1 stat spac ca xpo tial i th si of th progra 

stat . till, u rati od 1 ch cki g is a ff cti d uggi g t ch iqu that 
ca oft d t ct a d displa si pi cou t r xa pi s h a prop rt fails. 



. ic c i 

h us of s olic r pr s tatio for th stat s ts as propos d i ord r 
to CO at th stat xplosio pro 1 i u rati od 1 ch cki g [4,3 ]. 
s olic r pr s tatio for ool a fu ctio s as d o i ar d cisio diagra s 
( s) [ ] has pro d particular! succ ssful. fi it stat ca r pr s t d 

as a it- ctor. h s ts of it- ctors ar just ool a fu ctio s a d ca 

r pr s t d as s. I particular, th i itial s t, a gi i aria t clai , th 
tra sitio r latio , a d th r acha 1 stat s t, ca all r pr s t d as s. 

h op ratio s ca us d to co put i ag s of stat s ts ith r sp ct to 

th tra sitio r latio . his alio s pr dicat tra sfor rs such as stro g st post- 

co ditio ad ak st pr co ditio to appli d to th r pr s tatio of a 

stat s t. hr acha 1 stat s t ca co put d a s of a fix d poi t it - 

ratio of th stro g st postco ditio co putatio starti g fro th i itial stat 

s t. r i t r diat it ratio of th r acha 1 stat s t is also r pr s t d 

as a . h r ar s ral ad a tag s to th us of s. o ti s 
s ts of larg cardi alit ight ha co pact s olic r pr s tatio s. s 
ar a ca o ical r pr s tatio for ool a fu ctio s so that qui al c t sts 
ar ch ap. s ar sp ciall good at ha dli g th ool a qua tificatio that 
is d d i th i ag CO putatio s. uto ata-th or tic thods ca also 

r pr s t d i s olic for . o s olic od 1 ch ck rs i clud [3 ] 
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uch s olic r pr s tatio s do r quir th stat to xplicitl fi it . his 
a s that th s xa pi ca ot cod d dir ctl i a for that ca 
dir ctl u d rstood a s olic od 1 ch ck r. o ork has to do i 

ord r to r due th pro 1 to fi it -stat for so that it ca ha dl d a 

s olic od 1 ch ck r. 



.4 ri t r ti 

uto atic i aria t g ratio t ch iqu s ha studi d si c th 97 s [ 4, 

2 ,27,36], a d or r c tl i th ork of j r r, ro ,a d a a [3], a d 

sal , akh ch, a d ai'di [9,34,7]. 

si od 1 ch cki g, th asic op ratio i i aria t g ratio is that 

of taki g th stro g st postco ditio or ak st pr co ditio of a stat s t 
ith r sp ct to th tra sitio r latio . o of th t ch iqu s for co puti g 
i aria ts ar d scri d ri fl lo . 

st i i t th tr st st iti . hi aria t co put d h r 
corr spo ds to th r acha ilit stat s t. It is co put d starti g ith a 
i itial s olic r pr s tatio of th i itial stat s t gi th progra . his 

s t is succ ssi 1 larg d taki g its i ag u d r th stro g st postco ditio 
op ratio u til a fix d poi t is r ach d, i. ., o 1 tsar add d to th s t. 

t r this thod - . It i Ids a s olic r pr s tatio of th s t of 

r acha 1 stat s hich is th stro g st i aria t. Ho r, - co putatio 
oft do s ot t r i at si c th co putatio ight ot co rg to a fix d 
poi t i a fi it u r of st ps. ak , for xa pi , a progra that succ ssi 1 
i cr ts o , a aria 1 that is i itiall ro. his progra has a 1 ast 
fix d poi t, i. ., is i th s t of atural u rs, ut th it rati co putatio 
do s ot CO rg . 

or th s xa pi , th - co putatio do s t r i at ith th 
d sir d i aria t as s i th calculatio lo . 

=( =* = = ) 

V( = =2 = ) 

V( = = ) 

= ( = = )V( = =2 = ) 



h r sulti g i aria t asil i pli s th str gth d i ducti i ari- 
a t (4). h - CO putatio t r i at s pr cis 1 caus th r acha 1 
stat s t is ou d d. I or t pical xa pi s, approxi atio t ch iqu s as d 
oil ill d d to acc 1 rat th co rg c of th 1 ast fix d poi t 

CO putatio . 

r t st i it th tr st st iti . h gr at st fix d poi t 

it ratio starts ith th tir stat spac a d str gth s it i ach it ratio 
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xcludi g stat s that ar d fi it 1 u r acha 1 . his approach, hich call 
, i Ids a ak r i aria t tha th 1 ast fix d poi t co putatio . h 
CO putatio also d ot t r i at . h it do s t r i at , th 

r sulti g i aria t ight ot stro g ough. I th cas of th progra ith 
si gl i t g r aria 1 that is i itiall ro a d i cr t d o i ach 
tra sitio , th - co putatio r tur s th tri ial i aria t tru . Ho r 

th - thod has th ad a tag that it ca ad to co rg or 

asil tha th - thod, a d a i t r diat st p i th co putatio 

air ad i Ids a alid i aria t. 

h gr at st fix d poi t i aria t co putatio for s (ig ori g th aria- 
1 ) ca carri d out as folio s. H r *( ) r pr s ts th it ratio of 

th i aria t for co trol stat 

(*) = ( = V -) = ( -) 

(s ) = tru 

(* ) = ( - ) 

{s ) = { V - ) = ( - ) 

(* ) = ( - ) 

(O = ( - ) 

h i aria t — is ot all that us ful si c this i for atio co tri ut s 

othi g to th i aria ts that ish to sta lish. till, th - thod 
is ot ithout alu . It is sp ciall us ful for propagati g k o i aria ts. 

or xa pi , if start th it ratio ith i aria t ( ), th ca us th 

thod to d due that th str gth d i aria t (4). 

r t st i it th st r iti . oth -ad 

CO put i ducti i aria ts that ar alid, h r as th thod 

tak s a putati i aria tad str gth s it i ord r to ak it i ducti . h 
CO putatio starts ith a putati i aria t , a d succ ssi 1 appli s th 

ak st pr CO ditio op ratio p( )( ) to it. If this co putatio t r i at s, 

th ith r th r sulti g ass rtio is a str gth i g of th origi al i aria t 
that is also i ducti , or th gi i aria t is sho to i alid. 

ith th s xa pi , th ak st pr co ditio ith r sp ct to th puta- 
ti i aria t ( ) i Ids th str gth d i aria t (4). 

str ct t rpr t ti 

a of th i aria t g ratio t eh iqu s ar air ad xa pi s of a stract 

i t rpr tatio hich is a g ral fra ork for lifti g progra x cutio fro 
th CO cr t do ai of alu s to a or a stract do ai of prop rti s. xa pi s 
of a stract i t rpr tatio i clud sig a al sis (positi , gati , or ro) of 
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aria 1 s, i t r al a al sis (co puti g ou ds o th ra g of alu s a aria 1 

ca tak ) , li aria 1 a al sis (th alu of a aria 1 at a co trol poi t ight 

us d i th CO putatio to folio ), a o g a oth rs. 

ca appl a i t r al a al sis to th s xa pi . I itiall , th i t r al 

for is [ ] for = i . his i Ids a i t r al of [2 2] for h = 

I th xt st p, ha a approxi atio of [ 2 ] for h = , a d 

[ ] h = i . h xt rou d, g t a approxi atio of [— ] for 

th ra g of h = z , a d [ 2] for th ra g of h = 

t this poi t th CO putatio co rg s, ut th r suits of th a al sis ar still 

too approxi at a d do ot discharg th i aria t ( ). 

.6 r p rt r s r i str cti s 

i c od 1 ch cki g is u a 1 to cop ith s st s ith i fi it or larg 
stat spac s, a stractio has studi d as a t ch iqu for r duci g th stat 
spac [ 2 , 29 , 35 ]. I data a stractio , a aria 1 o r a i fi it or larg t p is 

r due d to o o r a s all r t p . h s all r t p is ss tiall a quoti t ith 

r sp ct to so qui al c r latio of th larg r t p . or xa pi , a aria 1 
ra gi g o r th i t g rs ca r due d to ool a for co sid ri g o 1 

th parit (odd or ) of th u rs. r z t str ti is a xt sio 
of data a stractio that i troduc s ool a aria 1 s for pr dicat so r a s t of 

aria Is. or xa pi , if ad ar t o i t g r aria 1 s i a progra , it is 

possi 1 to a stract th progra ith r sp ct to th pr dicat s such as , 

= . h s aria 1 s ar th r plac d ool a aria Is ad such that 
corr spo ds to th ad corr spo ds to = . though pr dicat 

a stractio i troduc s o 1 ool a aria 1 s, it is possi 1 to si ulat a data 
a stractio of a aria 1 to o of fi it t p usi g a i ar codi g of th 
fi it t p . 

I g ral, a a stractio is gi a s of a co cr ti atio ap 7 such 

that q( ) for a a stract aria 1 r tur s its co cr t cou t rpart. I th cas 
of th a stractio hr is r plac d a d = > 7( ) = ( ) 

a d q( ) = ( = ). h or difficult dir ctio is co puti g a a stractio 

( ) gi a CO cr t pr dicat . h co structio of r quir s th us of 
th or pro i g as d scri d lo . 

h r ar also to a s of usi g a stractio s i s olic a al sis. I o 

approach, th a stract r acha ilit s t [ 35 , 7 ] is co struct d th folio i g 

it ratio 

( )(s) = lf { (Ip)^ s { ) 7). 

ca th ch ck if is a i aria t of rif i g 7( ( )) 

s CO d a of usi g a stractio is actuall co structi g th a stract d 
rsio of th progra a d th prop rt of i t r st [ , 6 , 37 ]. his ca or 

ffici t si c th progra a d prop rt ar usuall s all r tha th a stract 
r acha ilit graph. 

I th s xa pi , th pr dicat a stractio is sugg st d th pr dicat s 

= ad = 2 i th putati i aria t. ha stract tra sitio s st 

r placi g th pr dicat = a d = 2 is sho i igur 2. 
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h a stract tra sitio s st co put d usi g pr dicat a stractio ca 
asil od 1 ch ck d to co fir that i aria t ( ) holds, h stro g r i a- 

ria t (4) ca also xtract d fro th r acha 1 stat spac of th a stract 
tra sitio s st 

r dicat a stractio affords a ff cti it gratio of th or pro i g a d 
od 1 ch cki g hr th for r is us d to co struct a fi it -stat prop rt - 
pr s r i g a stractio that ca a al d usi g th latt r. h a stractio 
los s i for atio so that a prop rt ca fail to hold i th a stract s st 
h its CO cr t cou t rpart is alid for th co cr t s st .1 this cas , th 
a stractio has to r fi d i troduci g furth r pr dicat s for a stractio [ , 



3 ic sis r r 

ha air ad s a catalog of s olic a al sis t ch iqu s. h id a of 
a s olic a al sis la orator is to alio th s t ch iqu s to co xist so that 
th a al sis of a tra sitio s st ca carri d out succ ssi applicatio s 
of a CO i atio of th s t ch iqu s [6]. ith such a co i atio of a al sis 

t ch iqu s, o could isag a rificatio thodolog h r 

CO -of-i flu c r ductio is us d to discard irr 1 a t aria 1 s. 

2. I aria t g ratio is us d to o tai s all ut us ful i aria ts. 

3. h s i aria ts ar us d to o tai a r aso a 1 accurat a stractio to a 
fi it -stat tra sitio s st 

4. od 1 ch cki g is us d to co put us ful i aria ts of th fl it -stat a - 
stractio . 

5. h i aria ts co put d od 1 ch cki go r th a stractio ar us d 
propagat d usi g i aria t g ratio t ch iqu s. 

6. his c cl ca r p at d u til o furth r us ful i for atio is forthco i g. 

pro id s a lack oard archit ctur for s olic a al sis h r a coll c- 
tio of tools i t ract through a co o i t r diat la guag for tra sitio 



bolic nal sis of ransition st s 



297 




^ Programs 

Verification 

conditions 

Abstractions 

Properties 

rc it ctur of 

s st s. h i di idual a al rs (th or pro rs, od 1 ch ck rs, static a a- 
1 rs) ar dri fro this i t r diat la guag a d th a al sis r suits ar 
f d ack to this i t r diat 1 1. I ord r to a al s st s that ar ritt 

i a CO tio al sourc la guag , th tra sitio s st od 1 of th sourc pro- 
gra has to xtract dad cast i th i t r diat la guag . h od 1 
xtract d i th i t r diat la guag ss tiall captur s th tra sitio 

s st s a tics of th origi al sourc progra . 

h archit ctur is sho i igur 3 h archit ctur is co strai- 

d so that th diff r t a al sis tools do ot co u icat dir ctl ith ach 
oth r, ut do so through th i t r diat la guag . hit ractio t- 

th tools ust th r for at a coars 1 1 of gra ularit , a 1 i t r s 

of tra sitio s st s, th ir prop rti s, a d prop rt -pr s r i g tra sfor atio s 
t tra sitio s st s. llo i g th tools to co u icat dir ctl to ach 
oth r ould r quir a quadratic u r of diff r t aps (for a gi u r 
of tools) t th s a al sis tools. 

t r it u 

h i t r diat la guag for s r s as 

h targ t of tra slatio s fro sourc la guag s. 

2. h sourc for tra slatio s to th i put for ats of diff r t a al sis tools. 

3. diu for co u icatio t diff r t a al sis tools. 

ar curr ntl orking on a translator fro a subs t of rilog to , and 
anot r fro a subs t of a a to 

int r diat languag as d sign d in collaboration it rof. a id ill 

of tanford, rof. o H n ing r at rk 1 , and s ral coll agu s at RI, 

tanford, and rk 1 . 
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h i t r diat la guag is as d o la guag sad od Is such 

as [3 ], urphi [ ], R acti odul s [2], [2 ], I [ 5], a d 

[2 ], a o g oth rs. h u it of sp cificatio i is a co t xt hich 

CO tai s d claratio s of t p s, co sta ts, tra sitio s st odul s, a d as- 
s rtio s. odul is a tra sitio s st u it. asic odul is a 

stat tra sitio s st h r th stat co sists of z t, t t, , a d 
aria Is, hr 



i put aria 1 to a 
output aria 1 to a 
o 1 r ad a xt r 
local aria 1 to a 
ot r ad or ritt 
glo al aria 1 to a 
as a xt r al odul 



i odul ca 


r ad 


ut ot ritt 




th odul . 


a odul ca 


r ad 


a d ritt 


th 


odul , a d 


al odul . 
odul ca 


r ad a 


d ritt 


th 


odul , ut is 


th odul . 
odul ca 


r ad a 


d ritt 


th 


odul as 11 



asic odul also sp cifi s th i itiali atio a d tra sitio st ps. h s ca 

gi a CO i atio of d fi itio s or guard d co a ds. d fi itio is of 

th for = r ssi or = r ssz , h r r f rs to th alu of 

aria 1 i a tra sitio . d fi itio ca also gi as a s 1 ctio of th for 

s t hich a s that th alu of is o d t r i isticall s 1 ct d 

fro th alu of of s t. guard d co a d is of th for — , hr 

is a ool a guard ad is a list of d fi itio s of th for = r ssi or 

s t. 

s i s chro ous la guag such as st r 1 [5] a d ustr [22], alio s 
s hr s, i. al achi ,i t ractio so that th alu of a local or 

output aria 1 ca d t r i d th alu of a aria 1 . uch i t r- 

actio i troduc s th possi ilit of a causal c cl hr ach aria 1 is d fi d 
to r act s chro ousl to th oth r. uch causal c cl s ar rul d out usi g 
static a al sis to g rat proof o ligatio s d o strati g that such c cl s ar 
ot r acha 1 . h I ad od Is do ot ad it such s chro ous 

i t ractio si c th alu s of a aria 1 i a tra sitio ar co pi t 1 d - 

t r i d th old alu s of th aria 1 s. alio s such i t ractio ut th 

s a tics is ot cl arl sp cifi d, particular! h causal c cl s ar possi 1 . 

h R acti odul s [2] la guag us s a static partial ord ri g o th aria 1 s 
that r aks causal loops alio i g s chro ous i t ractio i o dir ctio of 

th ord ri g ut ot th oth r. I [2 ],t o odul s ar co pos d co joi- 

i g th ir tra sitio r latio s. alio s s chro ous i t ractio h r causal 
loops ca r sol d i a a r that is co pati 1 ith th co ju ctio of 
th tra sitio r latio s is satisfi d. 

odul s ca CO pos d 



hr s , so that is a odul that tak s ad tra sitio s 

i lockst p, or 

s chro ousl , so that [] is a odul that tak s a i t rl a i g of 
a d tra sitio s. 
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hr ar rul s that go r th usag of aria 1 s ithi a co positio . 

0 odul s gag d i a co positio ust ot shar output aria 1 s a d or 

should th output aria 1 s of o odul o rlap ith th glo al aria 1 s of 

a oth r. h odul s ca ca shar i put a d glo al aria 1 s, a d th i put 

aria 1 s of o odul ca th output or glo al aria 1 s of th oth r. o 
odul s that shar a glo al aria 1 ca ot co pos d s hr s , si c 

this ight cr at a co flict h oth odul s att pt to rit th aria 1 

s chro ousl . h rul s go r i g CO positio alio s st s to a al d 
odularl so that s st prop rti s ca co pos d fro odul prop rti s [2] . 

h -fold s chro ous a d as chro ous co positio s of odul s ar also 
xpr ssi 1 i . odul op ratio s i clud thos for hidi g a d r a i g 

of aria 1 s. odul d fi d a s of co positio a d oth r odul 

op ratio s ca al as ritt as a si gl asic odul , ut ith a sig ifica t 

loss of sued ct ss. 

do s ot CO tai f atur s oth r tha th rudi tar o s d scri d 

a o . h r ar o co structs for s chro i atio , s chro ous ssag pas- 
si g, or d a ic proc ss cr atio . h s ha to xplicitl i pi t d 

a s of th tra sitio s st cha is s a aila 1 i . hil th s f atur s 

ar us ful, th ir i troductio i to th la guag ould plac a gr at r urd o 

th a al sis tools. 

h la guag is thus si ilar i spirit to stract tat achi s [2 ] 

i that oth s r as asic co c ptual od Is for tra sitio s st s. Ho r, 

achi s d scri d i ar ot a stract co par d ith thos i ota- 

tio si c is i t d d as a fro t- d to arious popular od 1 eh cki g a d 
progra a al sis tools. 

4 c si s 

o rful auto at d rificatio t eh ologi s ha co a aila 1 i th for 
of od 1 eh ck rs for fi it , ti d, a d h rid s st s, d cisio proc dur s, 
th or pro rs, a d static a al rs. I di iduall , th s t eh ologi s ar quit 

li it d i th ra g of s st s or prop rti s th ca ha dl ith a high d gr 

of auto atio . h s t eh ologi s ar co pi tar i th s s that o is 

po rful h r th oth r is ak. tatic a al sis ca d ri prop rti s 

a s of a s tactic a al sis. od 1 eh cki g is st suit d for co trol-i t si 

s st s. h or pro i g is ost appropriat for rif i g ath atical pro- 

p rti s of th data do ai . olic a al sis is ai d at achi i g a s rgistic 
i t gratio of th s a al sis t eh iqu s. h u if i g id as ar 

h us of tra sitio s st s as a u if i g od 1, a d 

2. ix d poi t CO putatio so r s olic r pr s tatio s as th u if i g a a- 

1 sis sch 

stractio as th k t eh iqu for r duci g i fi it -stat s st s to fi it - 
stat for . 
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I pi tatio ork o th fra ork is curr tl o goi g. h pr li- 

i ar rsio of co sists of a pars r, t p ch ck r, causalit ch ck r, a 
i aria t g rator, tra slators fro to ad , a d so oth r 

tools. is i t d d as a xp ri tal fra ork for stud i g th a s i 
hich diff r t s olic a al sis t ch iqu s ca co i d to achi gr at r 

auto atio i th rificatio of tra sitio s st s. 

c ts. a colla orators a d coll agu s ha co tri ut d id as 

a d cod to th la guag a d fra ork, i cludi g add k sal , a- 
id ill, o H i g r, ucad Ifaro, ija a sh, assi akh ch, sar 

u~o , a r , Harald Ru 6, oh Rush , lad Rusu, Hass aidi, li 
i g r a , a da a ri as, s kakk aek, a d shish i ari. 

r c s 

. Raj lur and o as . H n ing r, ditors. m t r- id d rifi- 
ti , ’6, olu 2 of t r t s i m t r i , 

runs ick, , ul / ugust 996. pring r- rlag. 

2. R. lur and . . H n ing r. R acti odul s. rm I th ds i st m 

sig , 5( ):7-4 , 999. 

3. ikolaj j rn r, I. nca ro n , and Zo ar anna, uto atic g n ration 

of in ariants and int r diat ass rtions. h r ti I m t r i , 

73( ):49- 7, 997. 

4. . R. urc , . . lark , . . c illan, . . ill, and . . H ang. 

bolic od 1 c eking: stat s and b ond. I f rm ti d m- 

t ti ,9 (2): 42- 7 , un 992. 

5. . rr and . ont i r. st r 1 s nc ronous progra ing lan- 

guag : sign, s antics, and i pi ntation. i f m t r r - 

gr mmi g, 9(2): 7- 52, 992. 

6. add k nsal , ija an s , assin ak n c , sar uno , a 

O r , Harald Ru 6, o n Rus b , lad Rusu, Hass n a'di, . ankar, 

li ing r an, and s is i ari. n o r i of . In . ic a 1 Hol- 
lo a , ditor, .• ifth gl rm I th ds r sh , 

Ha pton, , un 2 . angl R s arc nt r. o app ar. 

7. add k nsal and assin ak n c . uto atic g n ration of in ari- 
ants. rm I th ds i st ms sig , 5( ):75-92, ul 999. 

add k nsal , assin ak n c , and a Or. o puting abstrac- 
tions of infinit stat s st s co positional! and auto aticall . In Hu 

and ardi [26], pag s 3 9-33 . 

9. add k nsal , assin ak n c , and Hass n a'di. o rful t c ni- 

qu s for t auto atic g n ration of in ariants. In lur and H n ing r [ ], 

pag s 323-335. 

. R. . r ant. rap -bas d algorit s for ool an function anipulation. 

/ r s ti s m t rs, -35( ):677-69 , ugust 9 6. 

d und lark , Orna ru b rg, o s a, uan u, and H 1 ut it . 

ount r xa pi -guid d abstraction r fin nt. In . . rson and . . 

istla, ditors, m t r- id d rifi ti , ctur ot s in o put r 

ci nc . pring r- rlag, 2 . o app ar. 
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4. . onsot and . Halb ac s. uto atic disco r of lin ar r straints 

a ong ariabl s. In th m si m ri i I s f r gr mmi g 

g g s. ssociation for o pnting ac in r , anuar 97 . 

5. . ani and and a ad isra. r II I r gr m sig : d - 

ti . ddison- si , R ading, , 9 

6. . . olon and . . rib . n rating finit -stat abstractions of r - 

acti s st s using d cidion proc dnr s. In Hu and ardi [26], pag s 
293-3 4. 

7. at aki as, a id . ill, and ungjoon ark. xp ri nc it pr dicat 

abstraction. In Halb ac s and 1 d [25], pag s 6 - 7 . 

a id . ill. UTfp rification s st .In lur and H n ing r [ ], 

pag s 39 -393. 

9. R. rt , . Id, . . ardi, and . olp r. i pi on-t -fl auto- 

atic rification of lin ar t poral logic. In r . th r . r t I 

ifi ti , sti g, d rifi ti , arsa , un 995. ort -Holland. 

2 . uri ur ic . ol ing alg bras 993: ipari guid . In gon org r, di- 
tor, ifi ti d lid ti th ds, Int rnational c ools for o - 

put r ci ntists, pag s 9-36. Oxford ni rsit r ss, Oxford, , 995. 

2 . . . r an and . gbr it. s nt si r for inducti ass rtions. 

I r s ti s ft r gi ri g, { ):6 -75, arc 975. 

22. . Halb ac s, . aspi, . Ra ond, and . ilaud. s nc ronous da- 

taflo progra ing langnag ustr . r di gs fth I ,79(9): 3 5- 

32 , pt b r 99 . 

23. . . R. Hoar . n axio atic basis of co put r progra ing. mm - 

i ti s f th 1 2( ):576-5 , Octob r 969. 

24. . . Hoi ann. sig d lid ti f m t r r t Is. r ntic 

Hall, 99 . 

25. icolas Halb ac s and oron 1 d, ditors. m t r- id d rifi ti , 

’ , olu 633 of t r t s i m t r i ,r nto, Ital , 

ul 999. pring r- rlag. 

26. Ian . Hu and os . ardi, ditors. m t r- id d rifi ti , 

’ , olu 427 of t r t s i m t r i , ancou r, 

anada, un 99 . pring r- rlag. 

27. . at and Z. anna, ogical anal sis of progra s. mm i ti s f 

th , 9(4): -2 6, pril 976. 

2 . sli a port. t poral logic of actions. , 6(3): 72- 

923, a 994. 

29. . ois aux, . raf, . ifakis, . ouajjani, and . nsal . rop rt 

pr s r ing abstractions for t rification of concurr nt s st s. rm I 
th ds i st m sig , 6: -44, 995. 

3 . nn t . c illan. m li d I h i g. hi r cad ic ublis- 

rs, oston, , 993. 

3 . Zo ar anna and ir nu li. m r I gi f 

rr t st ms, I m : ifi ti . pring r- rlag, 

992. 



ti 



d 

ork. 




ankar 



3 2 

32. Zo ar anna and roup. : ducti -algorit ic rifi- 

cation of r acti and r al-ti s st s. In lur and H n ing r [ ], pag s 
4 5-4 . 

33. . nu li. t poral logic of progra s. In r . th m si m 

d ti s f m t r i , pag s 46-57, ro id nc , RI, o b r 

977. 

34. Hass n a'di. tool for pro ing in arianc prop rti s of concurr nt s st s 
auto aticall .In Is d Ig rithms f r th str ti d I sis 

f st ms ’ 6, olu 55 of t r t s i m t r i , 

pag s 4 2-4 6, assau, r an , arc 996. pring r- rlag. 

35. Hass n a'di and usann raf. onstruction of abstract stat grap s it 

. In Orna ru b rg, ditor, m t r- id d rifi ti , ’ , 

olu 254 of t r t s i m t r i , pag s 72- 3, Haifa, 
Isra I, un 997. pring r- rlag. 

36. . u uki and . Is i ata. I pi ntation of an arra bound c ck r. 

In 4th m si m ri i I s f r gr mmi g g g s, pag s 

32- 43, anuar 977. 

37. Hass n a'di and . ankar. bstract and od 1 c ck il ou pro . 
In Halb ac s and 1 d [25], pag s 443-454. 

3 . os . ardi and i rr olp r. n auto ata-t or tic approac to 
auto atic progra rification (pr li inar r port). In r di gs st 
II m . gi i m t r i , pag s 332-344. I 

o put r oci t r ss, 9 6. 




c 



r c 



c 



g lo arga ti i a d 1 i ia iccob 

iparti ento di lettronica e Infer a ione - olitecnico di ilano - 
gargantiniOelet .polimi . it 

iparti ento di ate atica e Infer atica - ni ersita di atania - 
r iccobeneSdmi . unict . it 



In t is paper e s o o t e specification and erification 
s ste { ro o rifi a io s ) can pro ide tool support for 

s ra a a hi s { s), especiall oriented to ards auto atic 

proof c ecking and ec ani ed pro ing of properties, seful te plates 
are presented ic allo encoding of odels into it out 

an e tra user’s skill. e pro e t e transfer ation preser es t e 
se antics and pro ide a fra e ork for an auto atic tool, protot picall 
i pie ented, ic translates specifications in . e 

specification of t e reduction ell gi en in [4] is taken as case stud to 
so o to for ali e ulti-agent s in and pro e properties. 

r c 

r i h’s stra t tat a hi s { s) [9] a b succ ssfull us d 
for d sig a d a al sis of compl ard ar /soft ar s st ms [3,2]. roug 
r al cas studi s, sa so toba practical m t od for rigorous s - 

st m d lopm tad tom tt r quir m ts, addr ss d b H itm ri [ ], 

t at formal m t ods d to a “to b us ful to practitio rs” : a us r-fri dl 

otatio , us ful, as to u d rsta d f dback, i t gratio i to sta dard d lop- 

m t proc ss. s us o 1 t sta dard la guag a d sta dard m t ods of 

programmi gad mat matics. ar mod Is as to r ad, u d rsta dad 

i sp ctabl b t custom r, but t ar fl ibl to c a g , a d pr cis ad 
compl t to mate t d sig r’s r quir m ts. Ho r, b li t at t 
succ ss of a formal m t od i i dustrial Id also d p ds o t a ailabilit of 

r lat d automat d tools Ipi g t us r duri g t proc ss of sp ci catio a d 

subs qu t ri catio a d alidatio . r for , mac i support for t us 
of s is tr m 1 us ful. 

uri g t last ars arious i stigatio s a b start d i ord r to 
rif sta dard mat matical r aso i g about s b it racti or full au- 
tomat d proof tools, om couragi g r suits ar air ad r port d i lit ratur 
(s discussio i [3]). mo g t or m pro rs, ( rotot rifi atio 

st ) as b us d i [7] to s o t corr ct ss of bottom-up r riti g 

sp ci catio for back- d compil rs from a i t rm diat la guag i to bi ar 
I proc ssor cod . old t al. stat t at “ rro ous rul s a b fou d 
usi g a d, t roug fail d proof att mpts, rrors r corr ct d b i s- 

p ctio of t proof stat ”. c a ical c cki g of formal sp ci catio sad 

ur c a . ( ds.) pp. — 

© pr g r- r ag r d rg 
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prop rti s is us ful bot as a al co rmatio of t ir corr ct ss a d for sim- 
plif i g t proc ss of disco ri g i co sist ci s a d pro i g prop rti s. I fact, 
pricsostat t most car full craft d formal sp ci catio sad 
proofs, do b ad, ca still co tai i co sist ci s a d ot r rrors, 

a d t at sue rrors ar disco r d o 1 usi g tools capabl to p rform som 
sort of a al sis (also simpl am c cki g, t p co sist c c cki g or ot r 
similar simpl a al sis), roofs ca also b so lo g a d t dious t at mac i 
support ca r due t uma ffort. 

I t is pap r, s o o ca pro id tool support for s, s- 

p ciall ori t d to ards automatic proof c cki g a d m c a i d pro i g of 
prop rti s. [ 3], d lop d b I, is a ig r ord r logic sp ci catio a d 
ri catio iro m t it a t -lik d ductio s st m. pro id s 
oth a ig 1 pr ssi sp ci catio la guag a d automatio of proof st ps. 
tarti g from t ork of old t al. i [ ,7] d lop suitabl t ori s 
to cod mod Is i ad pro t at our tra sformatio pr s r s 

t s ma tics of s. ur approac diff rs from t at of old t al. i t a 
of codi g t tra sitio s st m. ur goal is to da tra sformatio from 

s to t at pr s r s t la out of t origi al rul tra sitio s st m. o 
ac i t is goal do ot tak a stro g assumptio as “o 1 o rul abl d 
at a tim ”, i d d alio mor rul s to b simulta ousl cut d. r for , 
do ot d ma d t at t us r s ould tra sform t ol s st m of rul s i 

0 m ta rul , tra sformatio ic ca r quir skill a d i g uit , sp ciall 

1 cas of multi-ag t mod Is. I st ad, propos a algorit mic approac of 
tra sformatio ic k ps t s t of tra sitio rul s as a s t of diff r t rul s. 

pro id us ful t mplat s for Ipi g t us r duri g t codi g p as , 
a d us ful proof sc ms for r quir m ts ri catio . sugg st d codi g 
sc m is m c a i abl a d pro id a fram ork for a tool, t at pro- 
tot picall impl m t d, support! g automatic tra sformatio i of 

mod Is gi it - la guag [5]. 

ur codi g of s as b t st d for multi ag t mod Is. 

r port r t sp ci catio of t roductio 11 gi i [4], a d 

discuss t r suits of t m c a i d proofs of saf t a d li ss prop rti s. 

ral proofs ar obtai d it assumptio s, usuall r gardi g t p sical 
iro m t b a ior, t at ar implicit i t formal d scriptio but d to 

b add d i t mac i support d approac . a ks to t f atur s, 

formulat sue assumptio si ad clarati a i st ad of usi g t op ratio al 
a r quir d b t mod 1 c cki g approac us d b i t r i [ 4] to s o 
t corr ct ss of t roductio 11 sp ci catio . 

articl is orga i d as folio s. probl m of codi g s i 
is discuss d i ctio s 2. -2.3. ctio 2.4 s o s o to alidat sp ci catio s 
usi g . ctio s2.5ad2.6prs t proof sc m s to support ri catio of 
i aria t prop rti s a d trac prop rti s. ctio 3 co tai s t sp ci ca- 

tio of t roductio 11 cas stud a d t r suits of t ri catio task. 
I ctio 4 discuss our ork i compariso it r lat d r suits, a d 
CO clud outli i g futur r s arc dir ctio s. 
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I t is s ctio pr s t our codi g of si . It co sists of a s t of 
t ori s, i rare icall orga id, ic d t p s a d fu ctio s mod - 
li g u i rs s a d rul s, a d of a s t of strat gi s d d i ord r to 
simplif t proof co ductio . U i rs a d fu ctio r pr s tatio is bas d o 
t ork of old t al. [ ,7]. codi g of rul s a d d amics of s is 

sig i ca tl c a g d. 



2. stract tat 

stat mod Is a( abstract) mac i stat , i. . t coll ctio of 1 m ts 
t mac i “k o s”, a d t fu ctio s a d pr dicat s it us s to ma ipulat 

sue 1 m ts. at maticall a stat is d d as a structur ic co sists 

of a coll ctio s of domai s (s ts, also call d i rs s, ac of ic sta ds for 
a particular t p of 1 m ts) it arbitrar fu ctio s a d r latio s d do 
t m. i rs s r pr s tati . U i rs s a diff r t codi g d p di g 
o t ir b i g static or d amic: 

— stati i rs C/, i. . a u i rs ic do s ot c a g duri g computa- 

tio , is cod d as u i t rpr t d t p U : TYPE. 

~ a i z rs [/, i. . a u i rs ic ma gro duri g computatio , 

is cod d as a s t U : setof [T] of 1 m ts of t p 

s 1 m ts ca ot b add d to t p s, o 1 sue codi g alio s to 
pa d u i rs s. o t is purpos , t fu ctio s a ad io , (pr -)d d 
it t or sets, ca b us d. 

ark . CO c pt of t p i is r diff r t from t usual m a- 

i g of t p i programmi g la guag s. t p s abstractl r pr s t titi s 
it commo op ratio s. r ar o 1 a f built-i t p s sue as um- 

b rs, i t g rs a d bool a . t r t p s ma b d d it r as u i t rpr t d 

t p s, or t roug t co struct DATATYPE, or i t rms of air ad d dtps 
b usual t p CO structors (as lists, r cords, tc.). 

It is possibl to cod t sup ru i rs its If as a u i t rpr t d t p S 

add ruirsUasa subs t of S - as air ad ot d b old i [ ]-, 

or as u i t rpr t d subt p ( it t sam m a i g as subs t). Ho r, i 

t last cas it is c ssar to i troduc a ioms to guara t prop rti s o s ts, 

as, for ampl , disjoi t ss b t u i rs s, so ot ploiti g t stro gad 
po rful t p s st m of . or t is r aso sugg st to cod u i rs s 

as u i t rpr t d t p s r possibl , a d us t co struct setof o 1 for 

d amic u i rs s. 



u cti s a stat s. asi fu ctio s ar classi d i stati fu ctio s 

ic r mai co sta t, a d o z fu ctio s ic ma c a g i t rpr tatio 
duri g computatio . amic fu ctio s ar furt rmor classi d i o troll , 
0 itor a d shar . o troll d fu ctio s occur i sid fu ctio updat sad 
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ca c a g b applicatio of tra sitio ml s. o itor d fu ctio s ca c a g 
o 1 du to t iro m t. ar d fu ctio s ca c a g b applicatio of a 

tra sitio rul but also b som ot r ag ts; t formali t i t ractio s i 

cas of multi-ag t computatio sad combi d updat s of locatio s. u ctio s 
d d i t rms of t basic o s ar call d ri 

cod fu ctio s almost as propos d i [ ]. 

— tati tio s ar cod d as usual fu ctio s. 

— o itor tio s ar mod 1 d as fu ctio s addi g t t p ENV to 

t argum ts of t ir domai . ENV is a u i t rpr t d t p ic r pr s ts 

t t r al iro m t, t at is r t i g outsid t s st m’s co trol. 

bool a d amic mo itor d ariabl is t r for cod d as a fu ctio from 

ENV to bool, r as a g ric mo itor d fu ctio f ■ S T is tra slat d 

i to t fu ctio f ; [ENV, S->T] . 

ur a of i t rpr ti g ENV is diff r t from t at propos d i [ ] r ENV 

is t r cord of all mo itor d fu ctio s. ur i of ENV as t ad a tag 

of alio i g a d sig r to asil add a d r mo mo itor d fu ctio s. 

— 0 troll tio s ar r gard d as Ids of a r cord CTRLSTATE ic 

r pr s ts t CO troll d part of a stat . r for , ii f : A Bad 

g : Int Bool ar co troll d fu ctio s, t co troll d part of t stat is 

d d as CTRLSTATE : TYPE [# f : [A->B] , g: [int->bool] #] . 

— har tio ar d d as co troll d fu ctio s. I a multi-ag t , 

t CO troll d part of a “global” stat is i d as t coll ctio of all co - 
troll d ag t’s stat s. r for , s ar d fu ctio s, as co troll d b at 1 ast 

o ag t, ar d d as compo ts of t CTRLSTATE. 

— ri tio ar cod d as fu ctio s d d i t rms of t ir fu ctio 

compo ts i a straig tfor ard a from t ir sp ci catio . 

stat is compou d of its co troll d part a d t iro m t. It is 
d d as t r cord STATE; TYPE [# env: ENV, Ctrl: CTRLSTATE #] . 



2.2 u s 





( tra sitio ) r 1 s mod 1 1 


actio s p rform d b t 


mac i 


to ma ipu- 


lat 


1 m ts of its domai sad 


ic ill r suit i a 


stat . 


tra sitio 


r 1 


i? as t g ral form: 










R : if 


0 t at 






0 


, also call d t g ar of t 


rul , is a stat m t pr 


ssi g t 


CO ditio 


u d 


r ic R must b appli d; 


at CO sists of it 1 


ma 


tio s 



at s: 

f{t ,...,t ):=t 

ic ar cut d simulta ousl . / is a arbitrar -ar fu ctio a dt ,...,t 
is t tupl of argum ts at ic t alu of t fu ctio is s t to t. 

t s ria i t para ru app icati .1 t is s ctio tackl t 

probl m of di g a algorit m to s riali ri g of rul s ic guara t s 

t s ma tics of t ir parall 1 applicatio as stat d i [3] : 




ncoding bstract tate ac ines in 



3 7 



is a it s t of ml s . ppl i g o st p of to a 
stat produc s as t stat a ot r alg bra , of t sam sig atur , 
obtai d as folio s. 

irst aluat i , usi g t sta dard i t rpr tatio of classical logic, all 

t guards of all t rul s of . comput i , for ac of t rul s 

of os guard aluat s to tru , all t argum ts a d all t alu s 
app ari g i t updat s of t is rul . i all r plac , simulta ousl for 
ac rul a d for all t locatio s i qu stio , t pr ious fu ctio 

alu b t 1 comput d alu . 

t R , R b a s t of rul s. ai approac of computi g t t 

stat of t curr t stat b appl i g rul s i? , i = . . . n, s qu tiall , 

do s ot guara t t s ma tics for t or aso s: (a) guards cond of R 

ar ot aluat d i t sam stat forall i; (b) t rms occurri git 1 ft a d 

rig t sid s of fu ctio updat s of i? ar ot all aluat d i . folio i g 

ampl ma Ip to co i c t at t is approac is ro g. 
ap. t = {x ,y ,z 2)bt curr t stat co sisti g of 

t r i t g r ariabl s , a, d R , R , R bt tra sitio s st m it 

rul s d d as folio s: 

R : it X = t y:=5 R : it y = 5 t x := 2 R : z := x + y 
s qu tial rul s applicatio , it r suits: 




r as b corr ct computatio ould b = {x ,y 5,z ). 

a g rit ic o room s t rrors of t ai att mpt is gi b lo . 

t R R b a s t of tra sitio rul s, R of t form if o t 

at it ot a s qu c of fu ctio updat s f{t ,t , ■ ■ ■ ,t ) := t, a d 

b t curr t stat . 

algorit m ca b stat d as folio s: 

or all rul s R R , mark R if abl d at t stat 

2. or all i sue t at mark d R , aluat i all t rms t ,t , ■ ■ ■ ,t ,t occurri g 
i fu ctio updat s f{t ,t , ,t ):= t ot at . 

3. or all i sue t at mark d i? , s qu tiall p rform t fu ctio updat s i 

at usi g t alu s comput d at st p 2. 

propos d algorit m i itiall aluat s all t guards o i a d o 1 

aft r ards, s qu tiall , p rforms all t fu ctio updat s. ppl i g t algo- 

rit m to t abo ampl g t t folio i g corr ct tra sformatio : 



I.e., first e aluate t e guard of and, if it is true, perfor t e updates defined in 
to obtain ; t en appl to and obtain ; and so on till co puting t e 
final state to be taken as ' . 
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ul R do s ot aff ct t stat b cans ot abl d, a d i? corr ctl 
comput s t alu of z usi g t alu s of a: a d y i 

I c sist t up at s. If a locatio is updat d to diff r t alu s b simul- 
ta ousl ri g rul s, t sp ak of “i co sist t updat s”. It oug t 

locatio alu s ould r mai ucagddu tot o- cutio of i co si- 
st t updat s [9], accordi g to our algorit m, t locatio ould tak t last 

alu assig d to it. or t is r aso , at t mom t, ar abl to co sid r o 1 
CO sist t mod Is. It ould b possibl to disco r i co sist t updat s 

t roug simulatio of suitabl t st cas s. Ho r, simulatio ca r gua- 
ra t abs c of i co sist c . ppl i g a formal ri catio t c iqu similar 
to t at us d for pro i g i aria t prop rti s i ctio 2.4, mig t disco r 
i CO sist t updat s. cki g i co sist c of sp ci catio s is a probl m 

still u d r i stigatio . ot t at t probl m of ri g i co sist t updat s is 

ot tak i CO sid ratio i [ ,7]. 

t a it t . propos d algorit m do s ot gi t p ct d 
r suit d ali g it combi atio of rul s ic simulta ousl add 1 m ts 
to a sam s t b t co struct t . is probl m aros tr i g to cod 
i t mod 1 of cr pto-protocol gi i [ ]. I t is mod 1, diff r t 

ag ts ca s d at t sam tim m ssag s i to t I (a s t of m ssag s) 

r pr s ti g t t ork c a 1 commo to all ag ts. 

o b CO i c d t must b d alt it particular att tio , co - 

sid r t folio i g ampl . t b a stat r a s t Z\ as alu 

folio i g rul s ar abl d i : 

R ■. \f A = t t Z\ita 

i? : if Z\ = t t Z\ it 

codi g “ t Z\ it ” as a fu ctio updat of t form A ■= A u , 
b our algorit m, g t t folio i g tra sformatio : 

: (Z1 ) (Z\ a) {A b ) : 

Ho r, as bot rul s ar applicabl , accordi g to t corr ct s ma tics of 
t , p ct t r suit A= a,b i t al stat 

algorit m ds to b adjust d to d al it t d. corr ct solutio 

s ould (a) aluat pr ssio s i t curr t stat ; (6) r updat s ot i ol i g 

t agai st t curr t stat ; (c) if a rul R co tai s a updat t U 
it u, add M to t s t C/ i t rpr t d ot i t curr t stat , but i t stat 

obtai d aft r ri g all rul s pr c di g i? (ot r is could loos updat s of 

U h ot r possibl t s of pr ious rul s). 
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r isit rsi ft a g rit folio s: 

or all rul s R R , mark R if abl d at t stat 

2. or all i sue t at mark d R , aluat i all t rms occurri g i fu c- 

tio updat s of at it c ptio of t os r pr s ti g u i rs s as 

argum ts of t 

3. t, u 1 ss r ami g, R , ...,R b t s t of all mark d rul s. ssum 

s = . qu tiall , comput s from s - , i = ... to, p rformi g fu ctio 

updat s of at of rul i? i s _ : us alu s comput d at st p 2 for 

all t rms c pt t os r pr s ti g u i rs s it i t ic must b 

aluat d i s _ . al stat s b 

ark 2 a u tis ts. ccordi g to t s ma tics, 

1 m ts add d to t d d u i rs s ar “ ” a d import d from s r . 

0 guara t t at, old t al. i troduc a pr dicat new to co trol a 1 m t 

do s ot air ad b lo g to t s t to b t d d, a d a fu ctio sort_update 

ic t ds a s t b 1 m ts. Ho r, do s ot alio s ts to 

CO tai diff r t occurr c s of t sam 1 m t, a d old’s formal! atio 

do s ot a oid sue a probl m. a sp ci catio r quir s a u i rs 

to CO tai multipl occurr c s of a sam 1 m t, sugg st to cod t 
u i rs as a multis t i st ad of a s t. K pi g i mi d t at i a s t of 

1 m ts of t p T is a fu ctio from T to bool, as atural t sio , a multis t 

ca b cod d as a fu ctio from T to atural umb rs: t alu of t fu ctio 

r pr s ts t umb r of occurr c s of its argum t i t multis t. u ctio s 

a d pr dicat so s ts, lik add, member, emptyset, tc., must b r d d. 
t or to mod 1 multis ts folio s: 

multisets [T: TYPE]: THEORY 
BEGIN 

multiset: TYPE = [T-> nat] 

X, y: VAR T 
a: VAR multiset 

7„ an element x is member of a only if the occurrences 
7o of X in a are greater than 0 
memberCx, a): bool = a(x) > 0 
empty?(a): bool = (FDRALL x: NOT member(x, a)) 
emptyset: multiset = lambda x: 0 
nonempty? (a) : bool = NOT empty? (a) 

7o the function '‘add’’ returns the same multiset modified 
y, increasing by one the number of occurrences of the added 
7, element 

add(x, a) : (nonempty?) = lambda y: 

if x = y then a(y)+ 1 else a(y) endif 
END multisets 

ark 3. rul codi g propos d i [ ,7] is bas do t (stro g) 
assumptio t at rul s “co c r disti ct (disjoi t) cas s”. s a co s qu c , o 
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ma i f r t at (a) at r st p o 1 o ml is abl d, a d t r for (b) all 

ml s “ma b combi d i to a si gl stat tra sitio fu ctio , d d b a cas 
CO struct or st d co ditio als” . uc a si gl tra sitio fu ctio is call d “o - 

st p i t rpr t r” b old t al. is assumptio of disjoi t cas s is r stricti , 

si c i ma applicatio s mor t o rul mig t r at a tim . I cas 

of possibl simulta ous ri g of ma rul s, a u iqu tra sformatio fu ctio 

mig t still mod It d amics as 11, o r pr f r k pi g t s t 

of tra sitio rul s as s t of disti ct rul s, it out forci g t us r to d a 
qui al t tra sformatio fu ctio from t curr t stat to t to. 

ad a tag s ar t o: rst st listic, b caus pr s r t s structur , a d 

s CO d practic , b caus riti g o qui al t global tra sformatio fu ctio 

r quir s skill a d i g uit . urt rmor , du to t assumptio t at o 1 o 
rul ca b appli d i o st p, t o -st p i t rpr t r is absolut 1 ot suitabl 
i cas of multi-ag t s. 

ark 4. ot r possibl approac for rul codi g ould b to d 
t alu of r ariabl a d fu ctio (locatio )it tstpbmasof 

a ioms. or ampl , t updat f{x) := t ould b tra slat d i to a a iom 

of t form update : AXIOM f (next (s) ) (x) = t, r next(s) sta ds for 

t t stat . I t is a it ould ot b c ssar to i troduc t stat 
as a r cord a d could co sid r t stat as simpl u i t rpr t d t p . is 

approac is similar to t at tak b [ 4] to tra slat s i . Ho r, 

t is tra slatio do s ot pr s r t origi al form of t rul sad probl ms 

ris a rul co sists of mor t a o fu ctio updat , or mor rul s 

updat t sam fu ctio (locatio ) . I bot cas s, a compl tra sformatio is 

d d as d scrib d i d tail i [4]. 

2.3 Ip ti g u s i 

I t is s ctio so o t propos d algorit m as b impl m t d i 
. K pi mi d t at i our codi g a stat co sists of a co troll d part 
(CTRLSTATE) modi abl b t rul s, a d t iro m t (ENV). 

u c i g. CO sid r a rul as a fu ctio Ri (current , intCtrl) . 
rst argum t current : STATE r pr s ts t curr t stat s (co troll d part 
ad iro m t), a d it is us d to aluat guards (st p of t algorit m) 

a d comput t rms (st p 2 of t algorit m). s co d argum t intCtrl: 
CTRLSTATE r pr s ts a it rm diat co troll d stat ic is t r suit of 
appl i gt pr iousi— rul s, a d is us d to comput t os updat s t di g 

s ts (st p 3 of t algorit m). Ri (current , intCtrl) i Ids a co troll d 
(i t rm diat ) stat . 

I ami is d d as Ri : [STATE, CTRLSTATE -> CTRLSTATE] . 

putati ft t stat c p siti f ru s. o comput t 

t stat of a curr to b applicatio of a s t of rul s, d t fu ctio 
next as plai d b lo . 
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t R ,R , . . . ,R b astofruls, adst curr t stat (its co troll d 
part b cs). co troll d part cs of t t stat s is i ducti Id d as 
folio s: 

. s s 

2. for i = , . . . , n : s R {s,cs - ) 

3. s’ s 




is algorit m d sol o to comput t co troll d part of s si c 
t rul s do ot c a g t mo itor d part (i. . t iro m t). 

s t of all rul s is cod d as a list rules of fu ctio s from stat 

a d CO troll d stat to a co troll d stat : 

rules ; list [ [STATE , CTRLSTATE->CTRLSTATE] ] 

applicatio of t list rules usi g as curr t stat sO a d as i t rm diat 
CO troll d stat cs_i, is gi b t folio i g r cursi d itio : 

apply (sO , cs_i .rules) : recursive CTRLSTATE = 

if null? (rules) then cs_i 

else applyCsO, car(rules) (sO,cs_i) , cdr (rules) ) 

endif measure length (rules) 

CO troll d part of t t stat of s is d d appl i g t list rules of 

all rul s, a d taki g s as i itial curr t stat a d its co troll d part as 

i itial i t rm diat co troll d stat : 

nextCtrlState(s : STATE) : CTRLSTATE = apply (s, s' Ctrl, rules) 

mo itor d part (t iro m t) of t t stat of s is d d b 

t folio i g fu ctio r tur i g a ra dom alu for ENV: 

nextEnv(s: STATE) : ENV 

t stat of s is t compositio of t to t (co troll dad mo- 
itor d) parts: 

next (s: STATE) : STATE = 

(#env:= nextEnv(s) , ctrl:= nextCtrlState (s) #) 



car and cdr are built-in 



functions ielding ead and tail of a list, respecti el . 
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p at s f r ru s c i g. r port r t tot mplat s for rul s 
codi g. disti guis b t rul s it a d it out t i g updat s. 
t R if 0 t at b a tra sitio rul . 

If at is a s qu c of fu ctio updat s of t form f{t ,■■■ ,t ) := t,t 

R is tra slat d i as folio s: 

Ri (current, intCtrl) : CTRLSTATE = 

IF cond_i (current) THEN intCtrl 

WITH [f:=f (intCtrl) WITH [(tl, . . . ,tn) :=t]] 

ELSE intCtrl ENDIF 

If t guard cond_i is tru i t current stat t t updat d i t rm - 

diat CO troll d stat intCtrl is r tur d; ot r is t stat intCtrl is 

r tur d u c a g d (all t rms ti a d t ar comput d i t current stat ). 
2 If at as t form t Ita it al ha, t R is tra slat d i 

as folio s: 

Ri (current, intCtrl) : CTRLSTATE = 

IF cond_i (current) THEN intCtrl 

WITH [Delta := add(aIpha,DeIta(intCtrI) )] 

ELSE intCtrl ENDIF 

If t guard cond_i is tru , t 1 m t al ha is add d to Ita aluat d 

i intCtrl; ot r is intCtrl is r tur d u c a g d. 

folio i g ampl s ma Ip to b tt r u d rsta d rul s codi g. 
a p . t t rul s b 

R : it X = t y:=5 i?:ify = 5t x:=2 R : z := x + y 
CO troll d stat is d d as a r cord of t r ariabl s: 

CTRLSTATE: TYPE = [# x: int, y: int, z: int #] 
t r rul s ar d d as folio s: 

RI (current, intCtrl) : CTRLSTATE = 

IF x( current) = 0 THEN intCtrl WITH [y := 5] 

ELSE intCtrl ENDIF 
R2 (current, intCtrl) : CTRLSTATE = 

IF y( current) = 5 THEN intCtrl WITH [x := 2] 

ELSE intCtrl ENDIF 
R3 (current, intCtrl) : CTRLSTATE = 
intCtrl WITH [z := x(current) + y (current)] 

a p 2 ( it s ts). 

R : it A = t t Z\ito 

i? : if Z\ = t t Z\ it 

ssumi g t at 1 m ts of t s t Z\ b lo g to a c rtai t p elementType, 
adoad artoco sta ts of t at t p : 

elementType : TYPE 
a,b : elementType 

t CO troll d stat is d d as a r cord co tai i g o 1 t s t Z\: 
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CTRLSTATE: TYPE = [# Delta: SETDF [element Type] #] 
t o ml s b com : 

R1 (current, intCtrl) : CTRLSTATE = 

IF empty? (Delta(current) ) THEN intCtrl 

WITH [Delta := add(a,Delta(intCtrl) )] 

ELSE intCtrl ENDIF 

R2 (current, intCtrl) : CTRLSTATE = 

IF empty? (Delta(current) ) THEN intCtrl 

WITH [Delta := add(b,Delta(intCtrl) )] 

ELSE intCtrl ENDIF 



t r i is . I o -d t rmi ism ca b pr ss d usi g t co - 

structor c s ic alio s to r a rul R{x) c oosi g ra doml a x satis- 

f i g gi CO ditio s: 

c s i s.t. g( ) 

I c s ca b cod d b a mo itor d fu ctio from t iro m t 

to t subs t of U CO sisti g of 1 m ts satisf i g t co ditio g(x). 

chooseX : [ENV-> x:U|g(x) ] 

subcas c s i is cod d b chooseX : [ENV->U] . o - 

d t rmi ism is captur dblaigud d(it out o sp ci d mat mati- 
cal lo ) t fu ctio chooseX. r for , for a gi iro m t e, t alu 

of chooseX (e) i x:U|g(x) is ot d t rmi d. 

2.4 a i ati g p ci cati s t r ug ip r fs 

ft r a i g sp ci d s st m u i rs s, fu ctio s a d rul s, t d sig r s ould 
c ck t r t sp ci catio is corr ct or ot, i. . if it m ts us rs’ ds a d 
if it satis s all t d sir d prop rti s (r quir m ts) . 

rst st p i t is dir ctio is to c ck som possibl b a iors of t 

s st m as sp ci dad compar t m it t d sir d b a iors. is approac 

is folio d b simulators (lik orkb cad - of r) . similar 

approac mig t b folio d i our codi g, probi g t sp ci catio b m a s 
of “formal c all g s”. it t is t rm m a putati t or ms, i. .prop rti s 
t at s ould b tru if t sp ci catio is corr ct. d sig r s ould start 
from formall sp cif i g a d pro i g r simpl stat m ts a d t graduall 
pro mor compl prop rti s. 1 at t d /s s ould tr to pro t 

compl t r quir m ts. 

I our ampl a r simpl prop rt is: “if i stat s is , is ad 

is 2, t it t stat s ould b qual to , to 5 a d to ”. It ca b 
cod d as t folio i g 1 mma: 



propl: lemma 

s‘ctrl= (#x:=0,y:=l,z:=2#) => next(s) = (#x:=0,y:=5,z:=l#) 
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a pro d t 1 mma propl simpl usi g t d cisio proc dur s 

of r riti gads mbolic cutio . or compl a d compl t prop rti s 

mig t CO tai qua ti catio o s st m qua titi s a d, t r for , to b pro 

t mig t d t us of mor ad a c d strat gi s. 

mai goal of t s s ort proofs is to gai ad p r u d rsta di g of 
t s st m, to b com co d t i t corr ct ss of t propos d formal d - 

scriptio , a d disco r possibl rrors or faults as arl as possibl , si c it is 
id 1 ack o 1 dg d t at t cost of corr cti g sp ci catio rrors is ord r of 

mag itud s ig r i t lat r stag s of t lif c cl of t s st m (lik duri g 

t sti g or duri g its ormal fu ctio i g). t t d t d sig r s ould 
b abl to formall stat a d pro t actual r quir m ts. ri catio of 

s st m r quir m ts is t subj ct of t folio i g s ctio s. 

2. si g I ucti t r I aria ts 

I mat matics i ductio is id 1 us d to pro prop rti s t at old for r 

atural umb r. I formal mod Is t at d scrib s st m b a ior as a s qu c 

of stat s (as t approac do s), t sam sc m ca b us d to pro 

s st m z aria ts, i. . prop rti s oldi g i r stat .1 t is cas i ductio is 
bas do t folio i g t or m: 

r . t S th s t 0 all i itial stat s a P{s) a ro rt o th 
stat s. I 

(z.) P{s ) hoi s s S ; 

(zz.) P{s) P{s ) s,s stat s s h that s = next{s) 
th P is a “i aria t . 

I our codi g ad dad pro d t or m as folio s: 
induction: THEOREM 

(forallCs : STATE) : P(s)=> P(next(s)) and 
(forallCs : (init) ) : P(s)) implies INV(P) 

r (init) d ot s t s t of i itial stat s a d P t prop rt to pro as 
i aria t (INV(P) mast at P is tru i t i itial stat a di r r ac abl 
stat ). 

is t or m, alo g it a “ad oc” strat g t at ad d i t 
1 pvs-strategies, pro id s a i ductio sc m t at ca b us d to pro 
i aria ts i mod Is. 

2.6 rac r p rti s 

tra is a (i it ) s qu c s , s , . . . , s , . . . of stat s - a stat s s ould 
b CO sid r d as compou d of t co troll d part a d t iro m t - satis- 
f i g t prop rt t at: (a) s is a alid i itial stat , a d (6) for r pair of 
subs qu t stat s s , s it olds t at s is t t stat of s . 

I our codi g a trac is formali d as a s qu c of stat s satisf i g t 
prop rt of b i g a tra : 
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trace; TYPE = x : sequence [STATE] I member(first(x) ,init) 
and forall n: nth(x,n+l) = next (nth (x,n) ) 

ra ro rti s ar prop rti s o trac s, i. . prop rti s ic ar pr ss d 
a d pro d i t rms of trac s. to most commo t p s of trac prop rti s 
ar : 



— prop rti s oldi g i r stat of r trac {al a s), or 

— prop rti s oldi g at 1 ast i o stat i r trac ( t all ). 

ca pr ss i t at a prop rt stat ro olds i r stat of t 

trac t h t folio i g pr dicat : 

always (t , stateProp) ; bool = FORALL n: stateProp(nth(t ,n) ) 

a pro d t qui al c b t t is approac bas d o trac sad 
t at bas d o i aria ts b pro i g t folio i g 1 mma 

a . “stat ro is a i aria t i it al a s hoi si r tra o th 

s st 

I : equivalence : LEMMA 

INV(stateProp) <=> forall t; always (t, stateProp) 

pr ss i t at a prop rt r a h ro olds i a stat of t trac t b 

t folio i g pr dicat : 

eventually (t, reachProp) : bool = EXISTS n: reachProp(nth(t,n)) 

al a s prop rt is ormall us d to pr ss “saf t ” r quir m ts (“ o- 

t i g bad ill r occur”): prop rti s t at must b tru i r stat . 

t all prop rt ormall pr ss s “li ss” prop rti s (“som t i g good 
ill tuall app ”) mod li g r quir m ts t at must b tuall tru . 

r c 11 

I t is s ctio plai t is o 1 us of as tool support for s usi g 

as cas stud t roductio 11 mod 1 gi i [4]. mai purpos of 
t is s ctio is ot to s o t at t roductio 11 sp ci catio of org rad 
ar Hi satis s saf t a d li ss prop rti s. at as b air ad pro d 
i [ 4] b m a s of t mod 1 c ck r . simpl lik to s o , t roug a 

CO cr t ampl , o to appl our m t od of codi g sp ci catio s i 

, a d o to m c a i proofs. 

3. ri f I tr ucti ft r ucti as tu 

productio c 11 co trol probl m as pos d i [ ] as cas stud d ri d 

from “a actual i dustrial i stallatio i a m tal-proc ssi g pla t i Karlsru ” 

to obtai a “r alistic, comparati sur ” for t sti g “t us ful ss of formal 
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m t ods for critical soft ar s st ms a d to pro t ir applicabilit to r al- 

orld ampl s” [ ] . org rad ar Hi propos a solutio of t productio 

c 11 CO trol probl mi [4], a d s o o to i t grat t us of s i to a 
compl t soft ar d lopm t lif c cl . 

. . .t pro tio is o pos o t o o or ts positio i 

t tor ro ot pr ss tr i r . t p t s 

i s rt i t it t r o to t pr ss. r t 

r or t ro t o t o t i t ot r t t 

r ■ ] 

s st m is sp ci d “as a distribut d it si modul s, o for t 

ag ts'" - t , t , t r ss, t p si , t ra i g 

ra , t a i g ar a - “composi g t productio c 11, a d orki g 

tog t r CO curr tl r ac of t compo t s folio s its o clock. 

ac of t ag ts r pr s ts a s qu tial proc ss ic ca cut its rul s as 
soo as t b com abl d. s qu tial co trol of ac ag t is formali d 
usi g a fu ctio rr as g as ic i Ids at ac mom t t 

rr t has o th ag t"[A\. r f r t r ad r to [4] for furt r d tails. 

3.2 p ci cati 

or CO i c , r port b lo t sig atur a d t modul of t rou d- 
rogram for t ( ) • 

o itor d fu ctio : i ig arri r 

ar d fu ctio : a a (b t a d t la ati g rotar tabl ) 

ri d fu ctio s: 

a a si i rr as ( ) = pp a si i 

a a raig a asiia a a 

o troll d fu ctio s: r , 

rr as ( ) r a pp ri i a 

odul : 

if rr as = r a a i 
r = r 

if a a raig rr as 

s rr as 

if rr as = PP a a a raig 
rr as = ri i a 

if rr as = ri i a a i ig arri r 

rr as = r a 
a a = r 
I itiali atio : rr as = 



ig arri r 

= ri i a 
= PP 



I 



r a r 

ig arri r — as 



r 
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0 r port t codi g of t d It sp ci catio . o d scrib 

t d a t p CO tai i g all t possibl alu s of t f d b It 

p as : 

FBPhase : TYPE = NormalRun, Stopped, CriticalRun 

CO troll d fu ctio FeedBeltPhase is t i clud d as compo t of t 
r cord CTRLSTATE ic r pr s ts t co troll d part (co troll dads ar d 
fu ctio s) of t (global) stat : 

CTRLSTATE : TYPE = 

[# FeedBeltPhase : FBPhase, 

FeedBeltFree : bool, 7, controlled by the FB 
TableLoaded : bool, 7o controlled by the FB and ERT 

. . .#] 

dots ar r plac d b t co troll d part of t ot r ag ts, t at 

skip for t sak of co cis ss. o itor d ariabl is d d as fu ctio from 
t iro m t to its domai as: 

PiecelnFeedBeltLightBarrier : [ENV->bool] 

tarti g from d itio s of mo itor d a d co troll d fu ctio s, d ri d fu ctio s 
ar d d as: 

TablelnLoadPositionCs : CTRLSTATE) : bool = 

ERTPhase(s) = StoppedlnLoadPosition 
TableReadyForLoadingCs : CTRLSTATE) : bool = 

TablelnLoadPosition(s) and not TableLoaded(s) 

1 itial stat is mod 1 d b a pr dicat o r t stat s ( r port o 1 t 

part CO c r i g ): 

init (s : STATE) : bool = 

FeedBeltPhase(s)= NormalRun and FeedBeltFree (s) 

Etnd not PiecelnFeedBeltLightBarrier (s) . . . 

or t ml s r port o 1 t ampl of t _ ml : 

FB_NORMAL(current , intCtrl) : CTRLSTATE = 
if FeedBeltPhase (current) = NormalRun and 
PiecelnFeedBeltLightBarrier (current) 
then intCtrl with 

[FeedBeltFree := true, 

FeedBeltPhase := if TableReadyForLoading(current) 
then CriticalRun 
else Stopped 
endif ] 

else intCtrl 
endif 




3 
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3.3 af t r p rti s 

Usi g a pro d all t saf t prop rti s (for t , t , 

t r ss, t p si , a d t ra i g ra ) of t roductio 11 
as gi i [4]. or som of t s prop rti s, t codi g i a d t 

proof ar straig tfor ard. t rs r quir som us r ffort a d skill. I ord r to 
discuss t d gr of i t ractio c ssar for pro i g i t r quir m ts 

of t roductio 11 cas stud , pr s t som s 1 ct d ampl s of pro d 
prop rti s a i g diff r t d gr of compl it . 

t af t r p rt t/i It o s ot t tal la ks 

0 th ta I i th latt r is air a loa or ot sto i loa i g ositio . It 

as b quickl cod d co sid ri g t at t f d b It puts m tal bla ks o 1 

it is i t ritical u p as : 

FeedBeltSafety ; theorem 
FeedBeltPhase(s) = CriticalRun 

=> ElevatingRotaryTablePhase (s) = StoppedInLoadPosition 
and not TableLoaded(s) 

proof of t is prop rt , r port d b lo , is imm diat (as also its a d proof 

1 [4]): 

(”” ( -I U ) 

((” ” ( U - ) ( I )) 

(”2” ( Y ”is! ”) ( I )))) 

( -I U ) appli s t i ductio t or m pr s t d i ctio 2.5. 
i ductio t proof is split i t o parts: t i ductio st p (pro d b t 
bra c ” ”)a dt i itial stat (bra c ”2”). ( U - )isastrat g 

d d i our codi gad pa ds t d itio s of t t stat a d t 

rul s. ( I ) is a comma d t at r rit s r mai i g d itio s, splits t 

cas sad appli s t d cisio proc dur s of • ( Y ”is! ”) r calls 

t t p d itio of t i itial stat ”is! ”. last ( I ) pa ds t 

d itio of i itial stat a d appli s t d cisio proc dur s. 

is proof cas s o s t at t us r ffort to rit prop rti s a d obtai 

r lati proofs mig t b r lo . ccordi g to our p ri c , all simpl st pro- 

p rti s os proof do ot i ol assumptio s about t iro m t, r quir 
a mi imal us r i t ractio a d t ir proofs ca b p rform d usi g i ductio , 

cas splitti g, d cisio proc dur s, a d r riti g rul s. Ho r, ma ot r pro- 

p rti s a to b pro d taki g i co sid ratio t i t ractio of t s st m 

it t iro m t. I t s cas s, pro i g prop rti s mig t r quir gr at r 

us r ffort a d skill, s ampl , co sid r t rst part of t r ss af t 

r p rt th r ss is ot 0 o ar i it is i its otto ositio . Its 

codi g is straig tfor ard: 

In t is le a and in t e folio ing ones, s ust be considered as uni ersall quan- 
tified o er t e set of all reac able states fro an initial state. 
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PressSaf etyla: theorem 

PressBottomPosition(s) => 

not PressMotorDown (Press (next (s) ) ) 

o pro t is prop rt a to i troduc a assumptio about t mo i- 
tor d fu ctio BottomPosition ass rti g t at z t/i r ss is los or orgi g 
th it is ot air a i th otto ositio : 

notBottom: axiom 

PressPhase(s)= ClosedForForging => not BottomPosition(s) 

is is a ob ious implicatio co sid ri g o t s st m orks, but a 
to plicitl stat tatb mas of a a iom. Upo i troduci g t notBottom 
a iom, t proof of t r ss af t rop rt is obtai d appl i g i ductio , 

pa di g t d itio sad appl i g t d cisio proc dur s. or ot r 

prop rti s i troduc similar assumptio s b m a s of a ioms, a d r call t s 

a ioms duri g proofs. s assumptio s oft co c r t corr ct b a ior of 

t s sors, a d som tim s ar missi g i t origi al d scriptio b caus im- 

plicit! assum d. is agai s o s t at automatic support ma Ip to u co r 
rrors forci g t d sig r to pr cis 1 i troduc r assumptio . also ot 
t at t s assumptio s ar i troduc d b m a s of logical stat m ts, similar 

to t os gi i [4], il a mod 1 c ck r ould r quir us to pr ss t mi 

a op ratio al a . 

ot r ampl lik to r port r is t r ss af t r p rt 2: 
h r ss o s o I los h o ro ot ar is ositio i si it. I ord r 

to cod it i a CO cis form, i troduc t o (d ri d) bool a fu ctio s: 
r ssis losi ^ad r I r ss d das 

PressIsClosing(s) : bool = PressMot (PressPhase (s) ) = up 
i. . t pr ss is closi g o 1 its motor is goi g up, a d 

ArmInPress (s) : bool = 

ArmlExt(s) > 0 and Angle (s) = ArmlToPress or 

Arm2Ext(s) > 0 and Angle (s) = Arm2ToPress 

Usi g t s d itio s t r ss af t prop rt b com s: 

PressSaf ety2 : theorem 

PresslsClosing(s) => not ArmInPress (s) 

o pro t is prop rt mod It a gl of t robot arm b t mo itor d 

ariabl Angle cod d as fu ctio o t iro m t: 

Angle : [ENV-> real] 

formali all t assumptio s about t mo m toft robot: o 
t robot rotat s, ot aglcags, adot s sors commu icat to 
t robot to stop. pro t r ss af t rop rt 2 usi g i ductio , 
cas a al sis (co sid ri g all t possibl robot p as s i t curr t a d i t 

t stat ), r calli g t assumptio s about t robot mo m t, a d appl i g 
t automatic d cisio proc dur s of 
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3.4 i ss r p rt 

a pro d t li ss prop rt as 11, i. . t at t s st m r go s i 
d adlock. a stat d it as “ r o o t i th s st ill t all 
ha g its stat ” . is stat m t is ak r t a t prop rt pro d (b a d) i 
[4] . org rad ar Hi stablis also a p rforma c aluatio about t umb r 

of pi c s t at t c 11 is abl to proc ss c clicall . proof of t is p rforma c 

prop rt is u d r i stigatio . ur prop rt is similar to t “progr ss ag t 
prop rt ” stat d i [4]. 

I ord r to pro li ss, mod 1 a d sp cif som assumptio s about 

t iro m t (t os call d “ 11 ssumptio ” i [4]). or ampl as- 

sum t at r obj ct o t f d b It k ps mo i g u til tuall it arri s 
at its d sti atio a d t mo itor d fu ctio PieceInFeedBeltLightBarrier 
b com s tru : 

FBAssumption: axiom 

FeedBeltPhase(s) = NormalRun => 

exists (ns : (f ollowingOrNow(s) ) ) : PieceInFeedBeltLightBarrier (ns) 

f ollowingOrNow(s) is t s t of all stat s obtai d r p at dl appl i g t 
fu ctio next to t stat s, a d of t stat s its If. 

mak similar assumptio s for r stat of r compo t of t c 11, 

t us assum t at r compo t k ps mo i g till t mo itor d fu ctio of 

i t r st ( ic s 1 ct d o t basis of t stat a d t compo t) tuall 

c a g s its alu . tarti g from t s assumptio s pro , for ampl , t 
li ss of t : 

FeedBeltProgress : lemma 

exists (ns: (f ollowing(s) ) ) : 

not FeedBeltPhase(ns) = FeedBeltPhase (s) 

Usi g t sam approac ar abl to pro similar prop rti s for r ag t. 

4 1 rk cl 

ral att mpts of appl i g bot t or m pro rs a d mod 1 c ck rs to 
mod Is a b p rform d. I [ 2] t KI (Karlsru I t racti ri r) 

s st m as b us d to m c a icall rif t proof of corr ct ss of t ro- 
log to tra sformatio . as b us d i [7, ] to p rform m c a ical 

ri catio of t corr ct ss of back- dr rit s st m ( U ) sp ci catio s. 
mod 1 c ck r approac is r port d i [ 4] r corr ct ss of t roduc- 
tio 11 sp ci catio of org rad ar Hi as b pro d t roug 

c tl , a it rfac from t orkb c to t mod 1 c cki g 

tool, bas do a -to- tra sformatio , as b pr s t d i [6]. di- 
r ct compariso of our approac ca b do it t ork of old t al. usi g 
a d it t i t r’s ork usi g 

lo g our pr s tatio , sp ciall i r marks ,2 a d 3, a discuss d 
diff r c s b t old t al.’s approac a d ours. pro id a mor atural 
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tra slatio of si k pi g t s t of tra sitio ml s as a s t of diff r t 

ml s, i st ad of ford g t us r to d a qui al t tra sformatio fu ctio 
i t rms of o m ta rul . also pro id t us r it us ful t mplat s to guid 
is/ r formali atio of si . s t mplat s a also alio d us to 
pro id a fram ork for a tool to automatical! tra slat sp ci catio s 

i . is tool is u d r d lopm tad pla to i t grat it i to t 

- orkb c s st m. I additio pr s t proof sc m s to cod a d 
pro i aria ts a d prop rti s o trac s. 

It oug t approac bas do t mod 1 c ck r alio s prop rti s 
ri catio i a compl t 1 automatic ma r (u 1 ss t 11 k o stat 
plosio probl m), t ad a tag s of usi g our approac r gard bot t sp ci- 
catio a d t ri catio p as . ca asil ma ag sp ci catio s it 
i it s ts a d a u bou d d umb r of ag ts, as a po rful la guag (to 

r pr s t fu ctio s, s ts, lists a d so o ), as a stro g t p s st m, a d ca 

us t usual logical co structs (lik u i rsal a d ist tial qua ti catio s). 

roof ca b p rform d almost automatical! i t simpl st cas s (as s o i 

t roductio 11 cas stud ). or mor compl prop rti s, i a cas , our 

codi g ca b us d to c ck proofs do b a d or to support t us r duri g 
t proof i a i t racti a . I co ctio it t r suits pr s t d i [4], 

lik to r mark t at t mod 1 c cki g approac ca d al o 1 it a it 

s t of ag ts a d ac ag t a i g a it umb r of possibl stat s. is is t 

cas of t roductio 11, u d r t assumptio t at co ti uous i t r als (for 

ampl , t robot a gl alu s) ca b tr at d as it s ts of discr t alu s. 

is assumptio as i d d us d b i t r i [ 4], il it is ot c ssar i 
our approac , si c ar abl to d al it i it s ts (for ampl , tr at 

t robot a gl as a r al umb r). corr ct ss proof ( it its r suits) of 

t roductio 11 sp ci catio as it is s o i [4] as to b r lat d to t 

add d formali atio of t iro m tal b a ior. It is a ma or b t of our 

approac t at t assumptio s r gardi g t it ractio of t s st m a d t 

iro m t ca b formali d i a logical t a i a op ratio al a (i. . i 

t rms of tra sitio rul s) as r quir d i [4]. 

o cludi g, lik to str ss our co d c t at t propos d codi g 

also orks 11 for multi-ag t s it a u limit d umb r of ag ts, ic 

ar r compl to tr at. It is ot so ard to imagi o difficult ca b 

p rformi g m c a i d proof ri catio of prop rti s r gardi g i t rl a i g 
computatio s of ag ts. cas stud pr s t r is a ampl of a 
multi-ag t s st m, but it a limit d umb r of ag ts. Ho r, t m t od 

as b succ ssfull appli d to a al prop rti s of cr pto-protocols, r 
a u limit d umb r of ag ts ru simulta ousl . curit a d aut ticatio 

prop rti s of t sp ci catio pr s t d i [ ] a b pro d i 

usi g t t c iqu of i aria ts. a olu taril 1 ft t pr s tatio of 

t s r suits out b caus t ould r quir a sp ci c tr atm t. 

ck g ts. ki dl lik to t a k go org r for is us ful ad ic . 

also t a k a o mous r f r s for t ir Ipful sugg stio s. 
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e pr p se a s ste atic in estigati n f the (se i-) ant - 
atic erifiabilit f s. s a first step, e put f r ard t erifi- 
cati n pr ble s c ncerning the c rrectness f s and in estigate the 
decidabilit and c pie it f b th pr ble s. 



I r c 

struct stat achi s ( s) [ 4, 5, 6] ave ecome t e formal fo datio of 
a s ccessf 1 met odolog for sped catio a d veri catio of comple ard are 
a d soft are s stems. is is partic lari it essed mero s p licatio s 
si g t e formalism for rigoro s mat ematical correct ess proofs of large- 
scale applicatio s. ( ee t e rece t i liograp [5] a d t e e site [24]. or 
a i trod ctio to t e veri catio met od t e reader is referred to [7].) 

I teresti gl , most of t ese co tri tio s foe so a al veri catio , ile t e 

m er of p licatio s ere all or part of t e veri catio process is o t at d 

is rat er small. ( or e ceptio s see [25,26, 2,6] a d co s It [24].) I a ts ell, 

comp ter-aided veri catio of s, i.e., (semi-) a tomatic veri catio of d - 

amic s stems e pressed i terms of s, as ot et ee ell developed. 
I vie of t e s ccess of t e veri catio met od i ma al veri catio 

e t i k t ere is eed for a, s st atic i stigati of t e (semi-) a tomatic 

veri a ilit of s. e prese t paper ca e vie ed as a attempt to i itiate 
s c a i vestigatio . 

s a rst step to ard a s stematic i vestigatio of t e veri a ilit of s, 
e ave to make precise at e act all mea “verif i g s” . I its f 11 
ge eralit , t e pro lem of verif i g s ca e see as a d cisi r I of 
t e folio i g ki d: 

ive a (i-e., a formal descriptio of some d amic s stem) 

a d a speci catio (i.e., a formal descriptio of a desira le propert of 
t e s stem), decide et er ‘satis es’ . 

e of o r mai goals i t is paper is to ide tif decisio pro lems of t e a ove 
ki d s c t at solvi g t ese pro lems coi cides it provi g properties of s. 

e p t for ard t o s c pro lems, ic e call t e d l-ch c i g r I 
a d t e rificati r I for s. 

ur c al. ( ds.) pp. 3 3—34 
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e d l-ch c i g r I for s, de oted MC, ca e stated i formall 
as folio s: 

MC: ive a , a sped catio , a d a i p t appropriate for 

, decide et er olds d ri g all possi le comp tatio s of o 

ote t at, i ge eral, MC ca ot e solved mea s of testi g, i.e., simpl 

r i g a give o a give i p t ado servi g et er a give 

speci catio is satis ed. ere are t o reaso s for t is. irstl , ma e 
o -determi istic or ma access e ter al f ctio s or relatio s. or i sta ce, if 

c ooses a at ral m er i t e rst step a d t e proceeds depe di g o 

tec oice of , o e o Id ave to r for eac of t e i itel ma possi le 

c oices for . eco dl , eve if is determi istic a d does ot i teract it its 

e viro me t, it ma ot alt o 

e a ove form latio of MC immediatel raises t e q estio of a s cifica- 
ti la g ag for s, i.e., a formal la g age s ita le to e press properties 

of s. i ce i t e literat re t ere is o co se s s o tec oice of s c a 

la g age, e advocate ere first- rd r ra chi g t ral I gic ( ) as spe- 
ci catio la g age for s. ( is a straig tfor ard e te sio of t e ell- 

k o propositio al ra c i g-time logic rst-order reaso i g [ ]. 

or details see t e e t sectio .) ot er ope iss e is t e otio of z t. e 

q estio is ic t pe of i p t is s ita le for s a d o does t e i itial 

state of a o some i p t look like? o cer i g t is q estio e folio 

[2,4, 3,3] a d CO sider s ose i p ts are ite str ct res. o ot impose 

ecessar restrictio so t e i itial states of s, e associate it ever 

a f ctio t at maps ever i p t appropriate for to a i itial state 

of o .1 pri ciple, t is f ctio ca e a mappi g from i p ts to states. 

i vestigatio of MC is motivated mai 1 applicatio s ere it s ffices 
to e s re correct ess of a for o 1 a small m er of i p ts. s a e - 

ample, co sider a r i g o t e ote ook comp ter of a salesperso . 

receives as i p t a data ase , sa , t e catalog of a s pplier stored o a 
, a d i teracts it t e salesperso via some e ter al relatio s. e 

salesperso ma i q ire a o t t e availa ilit a d prices of certai prod cts 

or ma store c stomer orders i a d amic relatio of . i ce i t is see a- 
rio r s o t e give data ase o 1 , e ca c eck et er satis es a 
speci catio decidi g et er ( ) is a positive i sta ce of mc. 

It o g a sol tio of MC is i teresti g for certai applicatio s, t ere are 
ma applicatio s ere correct ess of a m st e g ara teed for all ad- 

missi le i p ts, of ic t ere are ofte i itel ma . or i sta ce, a compiler 

is s all s pposed to correctl tra slate a i p t program of ar itrar le gt . 
I s c cases o e as to to c eck et er for a give a d a give spe- 
ci catio , ( ) is a positive i sta ce of mc for r admissi le i p t . 

is pro lem, ic e call t e rificati r I for s a d de ote 
VERIFY, ca e stated i formall as folio s: 

VERIFY: ive a a da speci catio , decide et er for r 

i p t appropriate for , olds d ri g all possi le comp tatio s of 
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ot s rprisi gl , ot MC a d verify are — i t eir f 11 ge eralit — de- 
cida le, as s are comp tatio all complete. (I deed, ever ri g mac i e 
ca e regarded as a partic lari simple . It is a eas e ercise to de e a 
red ctio of t e alti g pro lem for ri g mac i es to ot pro lems.) e- 
refore, e i vestigate t e decida ilit of MC a d verify it respect to class s 
f r strict d s. e idea is to form late co ditio so s s c t at MC 

(resp. verify) ecomes decida le for s t at satisf t ese co ditio s. ce 
decida ilit it respect to a class of s is esta lis ed, all sit is class 
are a tomaticall veri a le i t e se se t at t ere e ists a proced re ic 

c ecks et er a give satis es a give speci catio o a partic lar 

i p t (resp. o all i p ts). 

It is ort otici g t at for restricted s, MC a d verify collapse to 
t e same pro lem. or e ample, i order to decide et er ( ) is a positive 

i sta ce of verify, it s fiices to decide et er ( ) is a positive i sta ce 

of MC, ere ig ores , o -determi isticall c ooses some ot er i p t (of 
ar itrar si e!), a d t e sim lates o . Ho ever, MC a d verify do ot 
ecessaril coi cide for restricted s. o sider, for e ample, s de ed 
mea s of a si gle r le of t e form (if 7 then acc t), ere teg ard 7 is a 
rst-order se te ce. ecki g et er s c a accepts a partic lar i p t 

str ct re ca e do e i Pspace, ereas verif i g t at it accepts all i p t 
str ct res is decida le rak te rot’s t eorem [ ]. 

It o g decidi g MC appears to e easier t a decidi g verify, it is a 

priori ot clear et er a sol tio of verify (for a class of s) implies a 

sol tio of MC (for t e same class of s). e q estio is et er MC is a 
s pro lem of verify i t e se se t at t ere e ists a red ctio of mc to verify 
it respect to ed classes of s. e give some formal evide ce t at t is 

is i deed t e case, t ere also providi g a j sti catio for t e title of t e paper. 

utli .1 t e e t sectio , e recall rst-order ra c i g temporal logic ic 
ill serve ere as speci catio la g age for s. I ectio 3, e formall 

de e t e model-c ecki g pro lem for sad prese t some res Its co cer i g 
its decida ilit a d comple it ( it respect to classes of restricted s). I 
ectio 4, e de e t e veri catio pro lem for s, s o t at it s s mes 
t e model c ecki g pro lem, a d st d its decida ilit a d comple it . 

pcc rsrc cs 

I order to i vestigate tea tomatic veri a ilit of s e eed to a 
formal la g age s ita le to e press properties of s. e propose to specif 
properties of s i terms of rst-order ra c i g temporal logic ( ). 

ormall , form las e press properties of c tati gra hs of s. 

ese grap s ca e vie ed as collectio s of r s of sad are i trod ced 
e t. 
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2. omputatio raphs 

e ass met e reader to e familiar it (seq e tial) s[ 5, 4]. o simplif 
t e de itio of comp tatio grap s, e rst i trod ce some additio al termi- 

olog a d otatio . 

oca ulari s. ca lar T is a q adr pie {T Tg a, T ) 

of ite, pair ise disjoi t voca laries. e s m ols i T ,Tg a ,^'d , a d T 
are called i t, static, d a zc, a d t r al s Is, respective! . ometimes 

e also de ote T t e (ordi ar ) voca lar T Tg a dd T . e 
i te ded mea i g ill e clear from t e co te t. or tec ical reaso s e s all 

al a s ass me t at T co tai s t e co sta t s m ol . 

programs, et T = (T Tg a dd T ) e a voca lar . 

r gra over T is a r le i t e se se of [ 5], eac of ose static 

(resp. d amic, e ter al) s m ols occ rs i T Tg a (resp. Td , T ). I t i- 

tivel , t e s m ols i Ti, a de ote t ose relatio s a d f ctio s ic are static 

ad ot i cl ded i t e i p t of a (e-g-, arit metical operatic s). 

tat s. stat S over a voca lar T is a str ct re over t e (ordi ar ) 

voca lar T. e co sider ot ite a d i ite states of s. 

ra sitio s. et e a program over T. e o e-step sema tics of 

de es a i ar tra siti r lati ( ) et ee states over T as s al. at 

is, (5 5 ) ( ) iff 

. 5 a d 5 are states over T, a d 

2. S is t e s ccessor state (or seq el) of S it respect to i t e se se of 
[ 5], 

ar . (a) If co tai s choose, import, or e ter al s m ols, t e ( ) 

is i ge eral o -determi istic, i.e., t ere ma e ist states S S S it {S S) 
{S S ) ( ) a d 5 = 5 . 

( ) If 5 is ite a d co tai s import, t e it ma appe t at attempts 

to import a e eleme t, alt o g t e reserve of S is empt . e possi le 

sol tio to t is pro lem is to modif t e sema tics of import so t at i states 

it empt reserve it al as ‘imports’ t e eleme t de oted 

I puts. i t over a voca lar T is a ite str ct re over T . 

I itiali atio mappi gs. i itiali ati a i g i itial over a vo- 

ca lar T is a f ctio ic maps ever i p t over T to a state S over T 
satisf i g t e folio i g t ree co ditio s: 

e iverse of is a s set of t e iverse of S . 

2. or ever relatio s m ol T , ever -ar f ctio s m ol / T , a d 
ever -t pie of eleme ts i S , 

, r / \ f f ( ) if CO sists of eleme ts i 
= ad/() = <^*'^^^ 

( ot er ise 

3. or ever i p t over T, if ad are isomorp ic, so are S a d 5 . 




del becking bstract tate achines and e nd 3 7 

stract stat machi s. a struct stat achi is a triple (T i itial 
) CO sisti g of 

— a voca lar T, 

— a i itiali atio mappi g i itial over T, a d 

— a program over T it o t free varia les. 

T , Tg a , dd , a d T are called t e z t, static, d a ic, a, d t r al 
ca lar of , respective! . i t appropriate for is a i p t over T. 
is d t r i istic if does ot co tai choose. 

e ca o de e t e otio of a comp tatio grap of a 

itio 2. et = {T i itial )ea ad aipt appro- 

priate for . e c tati gra h of o , de oted ( ), is a triple 
{ tat s ra s S ) ere 

— tat s is i e set of t ose states over T ose iverse is ide tical it t e 

iverse of i itial { ), 

— ra s tat s tat s is t e restrictio of ( ) to tat s, a d 

— S := i itial{ ). 

r of o is a i ite pat i ( ) starti g at 5 . 

otice t at for ever = (T i itial ) a d for ever i p t appro- 
priate for , ( ) is ite iff i itial{ ) is ite. 

a I 3. 1 tisadte ete ample ( ample 5) e s o t at classical 
model c ecki g, i.e., c ecki g et er a give ite-state s stem is a model of a 

give temporal form la (see, e.g., [ ]), is a special case of model c ecki g s. 

o t is e d, e displa elo a simple ose comp tatio grap s are 

ite-state s stems. 

I classical model c ecki g, ite-state s stems are ofte represe ted as 
Kripke str ct res. ri str ct r is a t pie 

s ) ( ) 

CO sisti g of a ite set S of states, a i ar tra sitio relatio S S, 

a i itial state s S', a d a seq e ce of s sets of S. ( ometimes, 

t e seq e ce is also give i t e form of a la eli g f ctio : 

} 2 it ( ) = for eac }.) i ce it is c stomar 

i t e CO te t of model c ecki g, e ass me t at ever s S as at least o e 
-s ccessor, ic ma e s itself. ~ := {S s ) is called t e tra siti gra h 
of . 

e de e = {T i itial ) so t at for ever Kripke str ct re , t e 
comp tatio grap of o i p t “is isomorp ic to “. e voca lar 
of is de ed as folio s: T := }, ere is a i ar relatio s m ol 

( ic ill e i terpreted as t e edge relatio of t e i p t tra sitio grap ), 
I’d := I }, ere I is a liar f ctio s m ol, Tg a := 0, a d 
T := 0. e program of is: 
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program : 

choose : ( I ) 

I := 

serve t at t e tra sitio grap “ of a Kripke str ct re is a ite 

str ct re over T,adt sa ipt over T. e i itiali atio mappi g of 
is de ed i “) := ( “ ), ere ( “ ) de otes t e state over 

T i ic ad are i terpreted as i a d t e liar d amic f ctio 

s m ol 1 is i terpreted as . e ca o verif t at 5 I is a 

isomorp ism et ee ( “) a d 

2.2 irst- rd r ra chi g mporal ogic 

ecall t at all r s of a o a partic lar i p t are em edded i t e 

comp tatio grap of o .He ce, it is reaso a le to e press a propert of 

(o a ip t) as a propert of all comp tatio grap s of . oe press pro- 

perties of comp tatio grap s e propose rst-order ra c i g temporal logic 
( ), ic is a com i atio of rst-order logic a dt e ell-k o proposi- 

tio al ra c i g temporal logic [ , ]. t e o e ad, rst-order logic 

alio s s to reaso a o t t e states of a . ( ecall t at t e states of a 

are rst-order str ct res.) t e ot er a d, e a les s to reaso 

a o 1 1 e temporal ado -determi istic e avior of a . or i sta ce, o e 

ca e press t at ‘good t i gs eve t all appe ’ or t at ‘t ere e ists a good 

r ’ of a . or t e reader’s co ve ie ce e recall t e de itio of 

ere. 



itio 4. tat f r las a, d ath f r las of first- rd r ra chi g t 

ral I gic are de ed sim Ita eo s i d ctio : 

( ) ver atomic ( rst-order) form la is a state form la. 

(2) If is a pat form la, t e is a state form la. 

( ) ver state form la is a pat form la. 

(2) If ad are pat form las, t e , , a d are pat for- 

m las. 

( ) If a d are state (resp. pat ) form las, t e a d ^ are state 

(resp. pat ) form las. 

( 2) If is a varia le a d a state (resp. pat ) form la, t e 3 is a state 

(resp. pat ) form la. 

e /r a d d aria I s of state a d pat form las are de ed i t e o vio s 
a . de otes t e set of state form las. 

ma tics of formulas. I t itivel , a state form la of t e form 

e presses t at t ere ( ) ists a i ite pat (pres ma lar of a ) 

sc t at t e pat form la olds alo g t is pat . e i t itive mea i g of 
pat form las of t e form , , a d is as folio s: 



olds i t e e( )t state. 
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— : olds eve t all ad olds (U) til t e . 

— : eit er olds al a s or olds ( )efore fails. 

e formall de e t e sema tics of form las o 1 it respect to comp - 

tatio grap s of s. et T e a voca lar , a state form la over T, 

a pat form la over T, a d ={ tat s ra s S ) & comp tatio grap of a 
of voca lar T. .l.o.g., e ma ass me t at free( ) = free( ) = }. 

et = (5 ) e a i ite pat i ( ot ecessaril start! g at t e i itial 

stated of ). ora j w, let j de ote t ei ite pat (5^ ) i.e., t e 

s ffi 5 5 ^ of . 

im Ita eo si for ever state S i , ever i ite pat s i , a d all 
i terpretatio s of t e varia les (c ose from t e iverse of 5 ) de e t e 

t o satisfact r r lati s { S ) = ad( )= id ctio ote 

CO str ctio of ad: 



( ) 


( 


5 


) = 


: 5= [], 


ere is a 


atomic form la 


( 2) 


( 


5 


) = 


: t ere is a 


i ite pat 


i 


start! g at 5 










sc t at ( 


) = 






( 


( 




) = 


: ( 5 ) = 


, ere S 


is t e 


rst state of 


( 2) 


( 




) = 


: ( ) = 


= 








( 




) = 


: t ere e ists 


LO S C t 


at ( 


) = ad 










for all j 


A J ) = 


= 






( 




) = 


: for ever 


UJ, if ( 


) = 


^ , t e t ere 










e ists j 


it ( j 


) = 





e sema tics of form las derived mea s of r le ( ) is sta dard. It remai s 

to declare t e sema tics of form las derived mea s of r le ( 2 ). elo , cr 

sta ds for eit er a state 5 or a i ite pat i , depe di g o et er 
is a state or a pat form la. 

( 2 ) ( cr ) = 3 ( ) : t ere is a eleme t i t e iverse of S 

s c t at ( a ) = ( ) 

or ever se te ce over T, let 

= : ( 5 ) = 

e folio i g a reviatio s are c stomar ad ill e sed freq e tl : 

— := -. ^ ( olds alo g ever pat ). 

— := tr ( olds eve t all ). 

— := fals ( olds al as). 

ote t at = —'(^ ^ ). 

a I . ecall t e i ample 3 

c ecki g is a special case of model c ecki g 
voca lar co tai i g o 1 set s m ols, a d 
(as i t e voca lar of ). or ever 



e o serve t at classical model 
. et T = } e a 

I a liar f ctio s m ol 
form la over T , o tai t e 
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se te ce over T I } replaci g i ever occ rre ce of 

it t e atomic form la ( I ). et e de ed as , e cept t at t e 

i p t voca lar of is } T a d t e i itiali atio mappi g of 
maps ever Kripke str ct re of form ( ) to t e state ( ) • o verif t at 

for ever form la over Tad ever Kripke str ct re of form ( ), 

( ) = 

I ot er ords, e ca c eck et er is a model of decidi g et er 

( ) is a positive i sta ce of t e model-c ecki g pro lem for s. I 

fact, i t e e t sectio e are goi g to de e t e model-c ecki g pro lem for 
s s c t at = iff ( ) MC. 

amples of sped catio s motivated co Crete applicatio s ca e 

fo di [22,23]. 

ck s r c c s 

ecall t e i formal form latio of t e model-c ecki g pro lem for si t e 

i trod ctio . If t e reader agrees t at (or some s ita le e te sio of t is 

logic) is a appropriate speci catio la g age for s, t e t e model-c ecki g 
pro lem for s ca e rep rased as folio s: 

MC : ive a , a se te ce over t e voca lar of , 

a d a i p t appropriate for , decide et er ( ) = • 

otice, o ever, t at t is pro lem is still ot a comp tatio al pro lem. e 

diffic It ere is t at t e i itiali atio mappi g of a ma ot e itel 

represe ta le, i ic case ca ot serve as i p t to a comp tatio al device. 

e t, e f rt er restrict tea ove pro lem so t at it ecomes a comp ta- 
tio al pro lem. e , i t e seco d part of t is sectio , e prese t some res Its 
CO cer i g t e decida ilit a d comple it of t e o tai ed comp tatio al pro- 
lem. 

3. h od 1- h cki g ro 1 m 

e pro lem of represe ti g t e i itiali atio mappi gs of si ite terms 
disappears if e co ce trate o s iforml i itiali ed i t e folio i g se se. 

itio 6. class of s is if r I i itiali d if, e ever a d 
are to si of t e same voca lar , t e ad ave t at same 
i itiali atio mappi g. 

it ever iforml i itiali ed class of sad ever voca lar 

T, e ca associate a i itiali atio mappi g i itial , s c t at z itial is t e 
i itiali atio mappi g of ever of voca lar T. serve t at, i t e 

CO te t of a iforml i itiali ed class of s, ever is iq el 

determi ed its voca lar a d program, ore precisel , if T is t e voca lar 
ad t e program of , t e ecessaril = {T i itial ) . is motivates 

t e folio i g de itio . 
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itio 7. e sta dard r r s tati of a {T i itial ) is give 

t e pair (T ). 

e are o i t e positio to de e t e model-c ecki g pro lem for s 

as a comp tatio al pro lem. et e a iforml i itiali ed class of s 

a d F a fragme tof . e dlchcigr I f r - s a d F- 

s cificati s is t e folio i g decisio pro lem: 




or . ote t e s tlet i tea ove de itio of MC, amel t at 

vie i g a as a itel represe ta le pair (T ) t e pro lem of 

act all represe ti g t e i itiali atio mappi g of as ot ee solved, t 
rat er as ee made part of t e model-c ecki g pro lem itself. 

a I . (a) or ever voca lar T = } co tai i g o 1 set 

s m ols, a d ever form la over T , let ad e de ed as i 

ample 5. et de ote t e class of all , a d set F = : }. 

is iforml i itiali ed a d e ave ( ) MC( F) iff = . at is, 

MC( F) coi cides it t e model c ecki g pro lem for 

( ) e ca de e a class of s a d a fragme t F of s c t at 

MC( F) coi cides it t e s lie model c ecki g pro lem for . e 

sketc t e idea, o sider a Kripke str ct re of form ( ) a d a form la 

over }. tai t e form la replaci g ever occ rre ce 

of it t e oolea s m ol . ( las lisa, liar relatio s m ol.) 
ca e represe ted mea s of oolea form las 7 ( ) 7 ( ) 7 ( ) 

it ad t o -t pies of oolea varia les, free(7 ) = }, a d for eac 

, free (7 ) = }. or simp licit , let s ass me t at for eac , 7 {fals ) 

eval ates to fals . ere is a it i p t voca lar }, d amic 

voca lar }> a d 

program : 

choose tr fals } : 7 ( ) 

if 7 ( ) then := t u else := fals 

if 7 ( ) then := t u else := fals 

sc t at for a i p t appropriate for , = ( ) = . 

I t e remai der of t is sectio e i vestigate t e decida ilit a d comple it 
of MC( F). 
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3.2 cida ilit a d ompl it 

e rst o serve t at t e model-c ecki g pro lem is decida le for iforml 
i itiali ed s ose i itial states are ite a d comp ta le from t e i p ts. 

mma . t a if r I i itiali d class f s s ch that th r 
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decisio proced re o tli ed i t e proof of t e lemma is ofte too e pe sive to 
e sef 1 i practice, eve if t e comple it of t e algorit m is lo . or 

e ample, t e m er of reac a le states of a emplo i g a o - liar 

d amic relatio i ge eral gro s e po e tiall i t e si e of t e i itial state. 

o seq e tl , t e space req ired for co str cti g a comp tatio grap of 

e plicitl ca e e po e tial i t e si e of t e i p t, i depe de t of 

e t, e prese t a class of s a d a fragme t of for ic a 

sef 1 restrictio of MC( F) is i Pspace. 

itio . = {T i itial ) is fi it I i itiali d if for ever 

i p t appropriate for , 

. t e iverse of i itial{ ) is t at of , a d 
2. for ever relatio s m ol T — T , ever -ar f ctio s m ol / 

T — T , a d ever -t pie of eleme ts i i itial { ), 

(1 = 0 ad / ^ ^( ) = 

serve t at t e i itiali atio mappi g of ever itel i itiali ed 
is iq el determi ed t e voca lar of . I partic lar, ever class of 
itel i itiali ed s is iforml i itiali ed a d for ever s c class t ere 
e ists a algorit m as i emma 

or 2. (a) t e rst gla ce, t e seco d co ditio i e itio ma 
seem to re der itel i itiali ed s seless for practical p rposes, eca se i 
applicatio st ei itiali terpretatio soft es m ols i T—T m st ofte satisf 

certai co ditio s. I partic lar, it ma ot e desira le to ave all s m ols i 

T — T e i itiali ed as i t e seco d co ditio of t e de itio . t ote t at 

t e i itial i terpretatio s of t ese s m ols ca e see as part of t e i p t 

of a . or e ample, co sider a itel i itiali ed ose liar 

d amic f ctio Z s o Id ass me, i stead of , t e val e 42 i t e i itial 
state. is ca e ac ieved modif i g as folio s. et e t e program 
of , II itial a e CO sta tsmol, adr i g a, e oolea s m ol. 
eplace it t e folio i g program: 
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program : 

if i g then 

I ■= II itial 

r i g := tr 

if r i g then 

o , ile model c ecki g , co sider o 1 i p t str ct res i ic t e i p t 
s m ol II itial is i terpreted as 42. 

( ) ppose t at t e seco d co ditio i e itio is rela ed as folio s: 
t ere is a disti g is ed s m ol S' T — T ose i itial i terpretatio depe ds 

o T t is ot restricted ot er ise. e displa a class of simple s 

itel i itiali ed i t e rela ed se se a d a simple fragme t F of sc 

t at Mc( F) is decida le. 

•l.o.g., e ma ass me t at S is a oolea s m ol a d t at ever 
voca lar co tai s S. oose some decida le pro lem 

T : T is a voca lar } 

( or i sta ce, let e t e ri g mac i e ose e codi g — i some ed 

sta dard i ar e codi g — eq als t e i ar represe tatio of t e m er of 
s m ols i T. e := T : alts o t e empt ord} is decida le, 

as a red ctio oft e alti gpro lem for ri g mac i ess o s.) or ever 

voca lar T, let := (skip i itial T) e a itel i itiali ed , e cept 

t at o for ever i p t appropriate for , i itial ( ) = S iff T . et 
de ote t e class of all , a d set F = S}. or a i p t appropriate for 
,T ( S ) is a red ctio of to MC( F). is implies t at Mc( F) 
is decida le. 

I favor of a s cd ct form latio of t e e t t eorem e i trod ce some 
additio al otatio . 

itio 3. et de ote t e clos re of t e set of rst-order form las der 

t e r les for egatio a d disj ctio , a d t e folio i g r le: 

( ) If ad are form las, t e , , a d are form las. 

e i rsal cl s r / , de oted U , is t e set of form las of t e form 
it ad free( ) }, ere free( ) is de ed i t e o vio s a . 

e de ear stricti of t e model-c ecki g pro lem for s. i ve- 
stigatio of t is restrictio is motivated t e o servatio t at t e arities of 
relatio s a d f ctio s sed i practice te d to e rat er small. I deed, for 

practical p rposes it ofte s ffices to solve mc for s ose voca lar co - 

tai sol s m ols of arit m, for some a priori ed at ral m er m. et 
MCm( F) de ote t e restrictio of MC( F) to i sta ces ere o 1 s m ols 
of arit m occ r. 

e folio i g t eorem ge erali es a res It i [22]. ote t at U ca e 
vie ed as a fragme t of 
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h or m 4. t th class f fi it I i itiali d s h s r gra 

d s t c tai import r choose. ra at ral r m, MCm( U ) is 

PSPACE-c I t . 

e alread e co ter Pspace- ard essofMCm( U)ifm= ad iste 
class of itel i itiali ed s of t e form (skip i itial T). is folio s 
a red ctio of t e PsPACE-complete model-c ecki g pro lem for propositio al 
temporal logic [2 , ]. 

s alread poi ted o t i t e i trod ctio , a decisio proced re for MC( F) 
ca e sef 1 for t e veri catio of s t at are s pposed to r correctl o 

a small m er of i p ts o 1 . Ho ever, for applicatio s ere correct ess of a 
as to e e s red for a large m er of i p ts — or eve i itel ma 
i p ts — a sol tio of mc( F) does ot s ffice. or s c applicatio s e ave 
to solve t e model-c ecki g pro lem for all admissi le i p ts. is ill e o r 
mai CO cer i t e e t sectio . 

4 r s r c c s 

e st d t e pro lem of model c ecki g s agai st speci catio s 

for all i p ts. fter formall de i g t is pro lem, ic e call t e rifica- 
ti r I for s, e provide some evide ce t at it s s mes t e model- 
c ecki g pro lem for s a d i vestigate its decida ilit a d comple it . 

4. h ri catio ro 1 m 

et e a iforml i itiali ed class of s a d P’ a fragme t of 
rif i g - s agai st F-s cificati s mea s solvi g t e folio i g decisio 
pro lem: 

verify( F): ive t e sta dard represe tatio of a ad 

a se te ce F over t e voca lar of , decide et er for ever 
i p t appropriate for , ( ) = . 



or . e ma o ject t at t e a ove form latio of verify does ot 
adeq atel reflect real-life veri catio of s, as i applicatio s o e is ofte 
i terested i verif i g a o 1 for i p ts t at satisf certai co ditio s. 

ote o ever t at t ese co ditio s ca e vie ed as part of a speci catio . or 
e ample, s ppose t at t e se te ce descri es all admissi le i p ts of 

a . at is, a i p t is CO sidered to e admissi le for iff = . 

e ( ) is a positive i sta ce of verify iff for ever admissi le i p t 

appropriate for , ( ) = • 

ot s rprisi g, verify( F) is i ge eral decida le, eve for classes of 
simple sad simple fragme ts F of . or i sta ce, recall t e red ctio 
of t e decida le pro lem to Mc( F) i emark 2 ( ) a d o serve t at 
t e same red ctio (it o removed from t e image of ever T) also red ces 
to verify( F). 
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ro iso Q. I th r ai d r f this s cti r strict rs I s t fi it I 

i itiali d s (s fi iti ). 

4.2 od 1 h cki g s ri catio 

e s o t at MC( F) is pol omial-time red ci le to verify( _F) if a d 

satisf certai clos re co ditio s. I favor of a co cise prese tatio of t e res It 

e i trod ce a restricted t pe of rst-order q a ti catio , ic e call it ss- 

d d q a tificati . I t e folio i g, de otes rst-order logic ( it eq a- 

lit ). 

it ss- ou d d qua ti catio . it ss s t is a ite set of varia les 
a d CO sta t s m ols. or a it ess set W a, d a, varia le ot i W, e 
rite ( W) i stead of (V ^ = i^). I t itivel , ( W) olds iff t e 

i terpretatio of mate es t e i terpretatio of some s m ol i W. 

itio 7. e it ss- d frag t of , de oted , is o tai ed 
from replaci g t e r le for ( restricted) q a ti catio it t e folio i g 

r le for it ss- d d q a tificati : 

( ) If Vk is a it ess set, a varia le ot i W, ad a form la, t e 

(3 W) a d ( W) are form las. 

e free ado d varia les of form las are de ed as s al. I partic lar, 
occ rs o d i (3 W) a d ( W) , ile all varia les i t e it ess 
set W occ r free. 

e vie as a fragme t of ere form las of t e form (3 W) 

a d ( W) are mere a reviatio s for 3 ( W ) a d ( W ), 
respective! . 

ductio of MC to VERIFY, roceedi g to ard a red ctio of MC to verify, 
e e t de e it ess- o ded versio s of sad form las. et e 

a it ess set co tai i g o 1 co sta t s m ols. or ever form la , o - 

tai ^ from replaci g ever rst-order q a ti er it t e correspo di g 

W- o ded q a ti er (e.g., replace 3 it (3 W),a d it ( W)). 



or ever 


= {T i itial 


) it IF r , let ^ : 


= (T i itial 


ere 


is 0 tai id ctio 


0 t e CO str ctio of : 




- If 


is skip or a pdate, t 
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- If 


= (if then ), t e 


:= (if ^ then >^). 




- If 


= ( ),te 


— W W'^ 




- If 


= (do-forall : 


), t e ^ := (do-forall 


IF: IV wy 



If is a choose or import r le, proceed similar to t e last case, or a class 
of s a d a fragme t F of , let a d F e de ed : 

:= ^ : = (T i itial ) 

W T is a set of co sta t s m ols} 

F := ^ : F, IF is a set of co sta t s m ols} 
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mma . t th class ffi it I i itiali d s h s r gra d s 
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i itial ). .l.o.g., e ma ass me t at ever eleme t i is de oted 

some CO sta t s m ol i T . (If t is is ot t e case, e ric T it e co sta t 

s m ols a d add i terpretatio s of t e e s m ols to . is modi catio of 

is clearl pol omial-time comp ta le.) e co str ct a i sta ce ( ) of 

verify( F) ic is positive iff ( ) is a positive i sta ce of mc( F). 

et := A 7 ere 7 ra ges i t e set of atomic a d egated atomic 

se te ces over T . is a q a ti er-free se te ce over T a d ca e co - 
str cted from i pol omial time, or ever ite str ct re over T e 
ave = iff t ere e ists a s str ct re of isomorp ic to . 

o t e de itio of ad . eiW e t e set of co sta t s m ols i T , 
ad rr r a oolea s m ol ot i T. et = (-' rr r ad = 

(T i itial ) it := ( ^ if ^ then rr r).{ ) ca eo tai ed 

from ( ) i pol omial time a d is a i sta ce of verify( F ). 

et e as i t e a ove lemma. e proof of t e lemma s o s t at, if 
a d ave reaso a le clos re properties ad ad 

F F, t e MC( F) is pol omial-time red ci le to verify( F). 

4.3 cida ilit a d ompl it 

e e t propositio provides a s fficie t co ditio for t e decida ilit of t e 

veri catio pro lem. et s rst recall t o decisio pro lems from logic. 

i it satis a ilit ad it alidit . et e a logic, T a voca lar , 

a d a -se te ce over T. is called fi it I satisfia I if t ere e ists a ite 

str ct re over T it = . is called fi it I olid if for ever ite str c- 

t re over T, = . fin-SAt( ) (resp. fin-val( )) e de ote t e pro lem 

of decidi g ite satis a ilit (resp. ite validit ) of a give -se te ce. 

ropositio 9. (a) t a class f s a d F a frag t f .If 

th r ists a I gic satisf i g th f ll i g t c diti s, th verify( F) 

is d cida I . 

. fin-val( ) is d cida I . 

2. hr ists a c ta I f cti hich as r i sta c ( ) / 

verify( F) t a -s t c r th i t ca lar f , s ch 

that f r r i tar riat f r , 

( ) = 
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( ) t ~^F d t th s t f gat d F-s t c s. verify( ^F) is d cida I if 

i th first c diti i st ad /fin-val( ), fin-SAt( ) is d cida I . 

r f. o assertio (a). e seco d co ditio immediatel implies t at ( ) 

is a red ctio of verify( F) to fin-val( ). e latter pro lem is 

decida le ass mptio . o assertio ( ). erif t e folio i g c ai of eq iva- 
le ces: ( -> ) verify( ~^F) iff ( ) = ^ for ever (appropriate for 

) iff ( ) = for ever iff = for ever iff fin-SAt( ). 

He ce, ( -■ ) is a red ctio of verify( ^F) to t e compleme t of 

fin-sat( ). ecida ilit of fin-sat( ) t e implies assertio ( ). 

f CO rse, t e mai c alle ge i appl i g ropositio 9 is to da logic 
t at satis es t e t o co ditio si t e propositio . s possi le ca didates for 

e propose t e folio i g logics: 

— e iste tial tra sitive clos re logic ( + ), 

— e iste tial least ed-poi t logic ( + ) [ , ], a d 

— (3), i.e., t e set of seco d-order form las i pre e ormal form, ose 

q a ti er pre is a ar itrar stri g of q a ti ers folio ed e a sti g 

of e iste tial q a ti ers [ 9]. 

ot FIN-VAL a d FIN-SAT are decida le for eac of t ese logics if o e restricts 
atte tio to form las over relatio al voca laries [ ,9]. 

I t e remai der of t is sectio e recall some res Its co cer i g t e deci- 
da ilit of verify from [2 ]. e mai positive res It t ere as o tai ed 
mea s of a applicatio of ropositio 9. 

itio 2 . et T e a voca lar ere Td a d T co tai o 1 

liar s m ols. q tial liar r gra s over T are de ed i d ctivel : 

— pdat s: or ever relatio s m ol dd , ever f ctio s m ol f 

Td , a d ever term t over T, eac of t e folio i g is a seq e tial liar 
program: := tr , := fals , v := t. 

— o ditio als: If is a seq e tial liar program ad a it ess- o ded 
form la over T, t e (if then ) is a seq e tial liar program. 

— arall 1 compositio : If ad are seq e tial liar programs, t e 

( ) is a seq e tial liar program. 

— o -d t rmi istic choic : If is a seq e tial liar program, a t pie 
of pair ise disti ct varia les, ad a it ess- o ded form la over T s c 

t at 3 is itel valid, t e (choose : ) is a seq e tial liar 

program. 

e /r a d d aria I s of a, seq e tial liar program are de ed i t e 
o vio s a . 

s q tial liar is a itel i itiali ed ose program is a 

seq e tial liar program it o t free varia les. - ^ i (resp. - c ) 

de otes t e class of seq e tial liar s ose i p t voca lar co tai s 

o 1 relatio a d co sta t s m ols (resp. co tai s at least too- liar s m- 

ols, o e of ic is a f ctio s m ol). 
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e e t de itio i trod ces t o fragme ts of , de oted a d 

U U. I formall speaki g, t e form las i (resp. U U) are ilt from ato- 

mic form las mea s of disj ctio , co j ctio , e iste tial (resp. iversal) 
q a ti catio (applica le o 1 to state form las), t e temporal operators , , 
ad , a d t e pat q a ti er (resp. ). 

itio 2 . de otes t e set of form las deriva le mea s of 

r les ( ),( 2),( ),( 2)i e itio 4, a d t e folio i g t o form la-for- 

matio r les: 

( )’ If ad are state (resp. pat ) form las, t e ad are 

state (resp. pat ) form las. 

( 2)’ If is a varia le a d a state form la, t e 3 is a state form la. 

U U de otes t e set of egated form las. 

etVERiFYm( F) de ote t e restrictio ofvERiFY( F) to i sta ces ere 

0 1 s m ols of arit m occ r. gai , solvi g VERiFYm( F) i stead of 

verify( F) s o Id e o serio s o stacle for practical p rposes. 

h or m 22 ([2 ]). r a at ral r m, th r I 

VERIFY„( - r 1 U U) 

is PsPACE-c I t . I th r rds, rif i g s q tial liar s ith r la- 

ti al i t agai st { U U)-s cificati s is a Pspace-c It r I , 

gi that th a i al arit f th I d i t r lati s is a ri ri d d. 

e proof oft e t eorem closel folio s a co str ctio d e to Immerma a d 
ardi t at as rst prese ted i [ 7] as a tra slatio of i to ( -I- ). 

Usi g t is CO str ctio o e ca s o t at for = - ^ F = , a d 

= ( -I- ) t e seco d co ditio i ropositio 9 is satis ed. e co tai me t 

assertio of t e t eorem is t e implied t e folio i g t o o servatio s: 

i ite validit a d ite satis a ilit of ( -I- ) se te ces over relatio al 

voca laries is d cida I i Pspace if o e imposes a pper o d m o 
t e arities of t e occ rri g relatio s m ols [2 ,23]. 

2. ere e ists a I ial-ti comp ta le f ctio as i t e seco d co di- 
tio of ropositio 9. 

VERiFYm( F) is alread Pspace- ard if m = , F co tai s occ t, a d 

i cl des all si - r i ose e ter al voca lar is empt a d 
ose d amic voca lar co tai s o 1 oolea s m ols. is folio s a 
red ctio of t e PsPACE-complete satis a ilit pro lem for q a ti ed oolea 
form las. 

U fort atel , eorem 22 does ot old for seq e tial liar s ose 

1 p ts CO tai f ctio s, as t e folio i g t eorem s o s. or t e sake of re- 

vit e rite liveness( ) i stead of verify( acc t}) a d safety( ) 

i stead of verify( ^ rr r}). 
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h or m 23 ([2 ]). h t r I s liveness( - c) a d 
SAFETY ( - c) ar th d cida I . r r, SAFETy( ) is d cida I 

f r r class that i cl d s all d t r i istic si - c h s 

t r al ca lar is tad hsd a ic ca lar c sists ft liar 

f cti s Is a d ar itraril a liar r lati s Is. 

e proof of t is t eorem is red ctio of t e alti g pro lem for ri g 

mac i es. It is ased o t e folio i g t o o servatio s: 

. I p ts t at CO tai o - liar f ctio s s fRce to e code it-stri gs. 

2. o liar d amic f ctio s s dice to c eck et er a it-stri g e codes 

a accepti g comp tatio of a ri g mac i e. 

a al sis of t e proof i dicates t at a tomatic veri catio of eve ver simple 

s ose i p ts ca e sed for e codi g it-stri gs is ot feasi le. evert- 

eless, eorem 22 a d res Its i [22] so t at restricted varia ts of s 

it relatio al i p ts ca e veri ed a tomaticall . 
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str ct ur ic ’s bstract tat ac i s ( ) co stitut a ig - 

1 1 sp cificatio la guag for a id ra g of applicatio s. xist- 

i g tool support for as xt d d, i a pr ious ork, to pro id 

CO put r-aid d rificatio , i particular b od 1 c cki g. I t is pa- 

p r, discuss t applicabilit of t od 1 c cki g approac i g - 

ral add scrib t st ps t at ar c ssar to fit diff r t ki ds of 
od Is for t od 1 c cki g proc ss. lo g t xa pi of t 
H cac CO r c protocol, so o od 1 c cki g ca sup- 
port d lop t a d d buggi g of od Is. sot c ssar 

r fi t for t ssag passi g b a iour i t protocol a d gi 
xa pi s for rrors fou d b od 1 c cki g t r sulti g od 1. 

CO clud it so g ral r arks o t xisti g tra sfor atio al- 
gorit 



I tr cti 

od 1 CO pris s t sp ci catio of t stat spac of t s st ad 
its b aviour sp ci d b stat tra sitio s. stat spac is giv b as 
of u iv rs s a d fu ctio s ov r t s u iv rs s. If t do ai s a d ra g s of all 
CO tributi g fu ctio s ar it (a d ot too larg ) a d a od 1 ca 

b tra sfor d i to a od 1 c ck r la guag , .g. t la guag of t 
od 1 c ck r ([7]). ( call a u iv rs if it a ot b t d d duri g a 
ru b ri g so tra sitio rul s.) 

rst sc atic approac is publis d i [ 3] . I [2] t sc a is t d d 
for copi g it it -ar fu ctio s (n > ). 11 -ar fu ctio s ill b 

u fold d to g t -ar fu ctio s t at ca b app d to si pi stat variabl s 
it od 1. f cours , od 1 c cki g as a full auto atic approac is 

li it d it r sp ct to t co putatio al ffort a d t us ot f asibl for v r 

od 1. Ho V r, our t d d tra sfor atio approac ca tackl a uc 

broad r s t of applicatio sad i Ids a r al i prov t of t for r si pi 
tra sfor atio . 

c a od 1 is tra sfor d i to t od 1 c ck r la guag b t 
fro c cki g prop rti s co c r i g saf t a d liv ss. If cou t r a pi s ca 
bdtctdt a ilda good i sig t i t od 1 u d r d v lop t. 

ur c a . ( ds.) pp. 4 — 6 

(c) pr g r- r ag r d rg 
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t ot r a d, our tra sfor atio tool suppli s it a ig 1 v 1 

od Hi g la guag . od Hi g task is facilitat d b alio i g t us of or 

CO pi data t p s a d -ar fu ctio s for para trisatio . I g ral, fou d 
t at od Is, i CO pariso to si ilar od Is (cf. s ctio 6), ar or 

CO cis but t or g ral b a s of usi g para t rs. Iso, a od 1 

ca b seal d up or asil t a a od 1, ic av to co alo g 

it si pi stat variabl s rat r t a -ar fu ctio s. 

is proc ss of tra sfor i g t od 1 i to la guag , a d c ck- 

i g t r sulti g od 1, is ru i g auto aticall , i. . it out us r i t rac- 

tio , o c saf t a d liv ss prop rti s ar for alis d i at poral logic (for 

t is is ). is is t od 1 c cki g approac is so attractiv 
for i dustr . o p rtis s s to b c ssar for usi g a od 1 c ck r, it is 
si pi a “pr ss butto fu ctio alit 

is orks ot o 1 i pri cipl , it orks i practic too, as a pi s s o . 
I ost cas s, o V r, av to adapt t od 1 at a d i ord r to t it to 

t od 1 c cki g proc ss. 



itti s f r h cki r c ss 

ost — o a c rtai 1 v 1 of abstractio — do ot co pris stat a d 

stat tra sitio sp ci catio o 1 , but so additio al ass m ti s (cf. g ). 




ASMO 



ASM 1 



ASM 2 



interface to 
environment 



/ \ 

Implementation 

L ) 



i r . iff r t a rs of bstractio 



ft t s assu ptio s ar c ssar for t at atical proof i ord r 
to cop it parts t at ar abstract or t r al for t od 1. ar 

giv i for all or for alis d b so logic pr ssio it t 1 1 at surrou ds 
t sp ci catio of t tra sitio rul s. ssu ptio s r lat d to s st i r t 
b aviour ill b sp ci d i t r s of tra sitio rul s at so lo r 1 v 1 
of abstractio , r as assu ptio s ov r t viro t of t s st ar 
d dicat d to t r al b aviour t at s ould ot b sp ci d furt r b rul s 
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i a r t st p, but rat r stat d i ad clarativ a o a ig 1 v 1 of 

abstractio ( .g. b a s of t poral logic for ula ). is is c ssar fort 

d V lop t of b dd d s st s t at ar ot r gard d to b robust agai st 

arbitrar — possibl fault — viro t b aviour. giv so si pi 
a pi s: 

It od 1 of t bak r algorit ([ ]) t tick t fu ctio T is 

t r al a d its b aviour is abstract i t ost abstract od 1. ut 

d t at so logical prop rti s ar assu d t at av to b satis d b T. 

is logical prop rti s ar t sp ci d i t appropriat 1 r d 
Iso, for t sp ci catio of t bak r algorit , d t at a fair ss 

assu ptio is c ssar for provi g corr ct ss of t algorit ([ ])• tt 

o 1 1 r is o f atur i la guag to pr ss fair ss assu ptio s. 

It s ould b discuss d to t d t la guag i t is dir ctio . 

or b dd d s st s lik t productio c 11, t sp ci catio of t vi- 
ro t is abstract ([ ]) a d ot part of t ordi ar tra sitio s st 

b aviour of s sors is for alis d b a s of oracl fu ctio s. Ho v r, it 
is c ssar to assu t at t b aviour of t viro t is “r aso abl ” 
i ord r to guara t corr ct ss of t od 1. 1 [ ] ost assu ptio s 

ar giv i t r s of logical for ula t at r ai t r al for t r d 
, too. 

or t sp ci catio of protocols ig t abstract fro t u d rl i g 

CO u icatio od 1 gov r i g t tra sf r of ssag s, lik i t 
od 1 of t H cac CO r c protocol i [3]. ut for t proofs 

av to assu t at t ssag s ar tra sf r d accord! g to a particular 
strat g ( .g. t I -strat g , sue t at t ord ri g of ssag s is pr - 
s rv d) . t so lo r 1 V 1 i t i rare a prop r ssag pass! g 

b aviour as to b sp ci d t at i pi ts t assu ptio ad o t 

ord r of tra sf r d ssag s (cf. s ctio 3). 

bviousl , o 1 stat s, stat tra sitio s, a assu ptio sot od 1 tog t r 

giv t CO pi t sp ci catio of t probl at a d. is vi is sk tc d 

i g. : t das d bo co pris s all parts of a od 1 at a particular 1 v 1 of 
abstractio . 

I , t r al or s st i r t but (o a c rtai 1 v 1) abstract b - 

aviour is sp ci d b oracl fu ctio s. racl fu ctio s - i cas of it 

do ai s - ca b si pi tra sfor d i to corr spo di g o r strict d stat 

variabl s it i t od 1 ( it r t ir i itialisatio or t ir updati g 

is sp ci d), i. . giv a s s i ati adab aviour a b c os 

o -d t r i isticall . i c od 1 c cki g is co pi t t sti g ov r t ol 

stat spac , V r loos sp ci catio 1 ads to a co pi t cas disti ctio ov r all 

possibiliti s. probl s arisi g it t is ar ot o 1 a att r of t k o 

stat plosio probl , but if fail to t t additio al assu ptio s o 
oracl fu ctio s (t os ic ar ot pr ss d b as of tra sitio rul s), 
t od 1 CO pris s b aviour t at is clud d i t m t ordi ar 

od 1. 
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or our approac of tra sfor atio , av to add t assu ptio s, giv 
outsid of t tra sitio rul s, to t od 1: 

air ss co strai ts ca si pi b add d i t cod , si c t 

la guag off rs t corr spo di g f atur . 

or b dd d s st s, si c t curr t tools do ot support t sp c- 
i catio of assu ptio s i t r s of so t poral logic, av to sp cif 
assu ptio so t viro t b a s of tra sitio rul s to g t a 

suitabl i put for t tra sfor atio . It is a difficult task, o v r, to od 1 

b aviour accurat 1 i a co structiv a , b caus abstract prop rti s av 

to b cod d op ratio all . is proc ss asil 1 ads to u d r-sp ci catio 
or ov r-sp ci catio , i. . t sp ci catio is too op or too r strictiv . It 
ust b car full i sp ct d if t sp ci catio ts t assu ptio s. t - 
r is rrors a r ai u d t ct d or a “ ro g cou t r a pi ” a b 
g rat d (s b lo ) . av to b a ar t at t r suits of od 1 c ck- 

i g ill old o 1 it r sp ct to t sp ci d viro t. 

ssu ptio s ad o abstract parts of t i t r al od 1 ca si pi b 

add db asofr igt odl appropriat 1 . s a a pi t 

r ad r is r f rr d to t cas stud pr s t d i t folio i g s ctio s. (I 

particular, t att rs of r t ar discuss d i s ctio 3). 

t M t s t of od Is, Ad t s t of od Is, a d WAN 

t s t of ru s of a ordi ar t poral structur ov r bra c i g ti , ic 

provid s a s a tics t at bot ki ds of od 1 av i co o . o giv a or 

pr cis otio of issi g assu ptio s, i troduc mod a d mod b t o fu c- 
tio s t at i Ids t s a tics of a od 1 sue t at mod : A4 — > WAN 

a d mod : Nt WAN. robl s a aris i t o cas s: 



mod{M ) C mod{M ) 

mod{M ) D mod{M ) 

I t rst cas — t tra sfor d - od 1 is strict gr at r t a 
t - od 1 b caus of a loos sp ci catio of assu ptio s — 

mod{M ) \ mod{M ) a co tai ru s, t at violat t prop rt to b 

c ck d. of t s a giv a cou t r a pi t at is, o v r, ot a prop r 

ru of t od 1 . o propositio o t od 1 u d r i v stigatio is 

possibl t si c o 1 o cou t r a pi ill b giv . call it r 5 

t r am , it obstructs t ov rail d buggi g proc ss. 

It s CO d cas — sp cif i g assu ptio s too r strictiv a d t 

- od 1 is strict s all r t a t ordi ar - od 1 — a fail to 

d t ct rrors t at occurs o 1 i t os ru s of t - od 1 1 at ar clud d 

for t - od 1. ru s i mod{Nl ) \ mod{M ) ill ot b c ck d 

b t od 1 c ck r. 

I t folio i g giv a a pi for tti g a - od 1 to our od 1 

c cki g approac . soot od 1 of t H cac co r c 

protocol t at is giv i [3] ca b r d i ord r to add t assu ptio t at 
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ar stat d i t proof part. Iso, t c ssar fair ss assu ptio ar add d i 

t cod . ssu ptio s o viro tal b aviour ar ot d d i t is 

particular cas , ca k p t “ viro t” b as of oracl s fu ctio s 
it out a r stricti g sp ci catio . 

I s ctio 2 pr s t t origi al abstract od 1 of t H protocol 

fro [3]. ctio 3 i troduc s our r ts t at ar c ssar to co pi t 

t od 1 to b tra sfor d. r suits t at s o t b ts fro od 1 
c cki g ar pr s t d i s ctio 4. I s ctio 5 t tra sfor atio a d its 
possibl opti isatio s is discuss d. giv r arks o r lat d ork i s ctio 6 

a d CO clud it s ctio 7. 

t: c rcrtcl 

ta ford H ultiproc ssor (cf. [6]) i t grat s support for cac ca- 
rts ar d or for a larg u b r of i t rco ct d proc ssi g od s. 

at is, ac od (or proc ssor) olds so part of or , ic is acc ssibl 

for ot r od s too, i ord r to r ad or rit data fro t is part. of t 
probl s to b i V stigat d for t is arc it ctur is t co r c of t data, 

si c acc ss to data is r ali d b orki g it a cop of it. It a app t at 

o od is goi g to proc ss a cop of t data t data av c a g d i 
t a il (b caus of so riti g acc ss of a ot r od ). 

parts oft distribut d or ar giv ass tsofli s, i. . s all pi c s 
of or CO t t. ac li is associat d it a /i m od osti g t part 
of t p sical or r t li r sid s. v r a proc ss (or a od ) 

ds to av acc ss to a particular li , sa t at a r a or rit miss occurs. 
V r r ad or rit iss co c r i g a r ot or li trigg rs a li r q st 
to its h m od . 

i g i t rco ct d t od s ar abl to co u icat it ac ot r. 

ca s d (a d d liv r) ssag s i ord r to r qu st for a r ot li or 

to r spo do a r qu st b a s of s di g a cop of t d d data, o 
provid CO r c of t data additio al book-k pi g is c ssar to pr v t 

fro si ulta ous r adi gad riti g o t sa li . at is, riti g ds 

si acc ss to a li r as, r adi g is alio d i shar acc ss. ssag 

passi gad book-k pi g of s ar d a d clusiv acc ss is t att r of t 
protocol sp ci catio co sid r i our od 1. 

od 1 of t protocol i [3] is bas do ag ts. ac ag t od Is 
o (proc ssor) od t at olds a c rtai block of t distribut d or . 

s t of tra sitio rul s d scrib s t b aviour of a si gl ag t. Its b aviour is 

dtridbt icoig ssag t at is to b proc ss d, i fact t t p 

of a ssag is suitabl for d t r i atio . is otio i Ids t cl ar od 1 
structur s o i gur s 2 a d 3. 

I CO i g ssag s ar r qu sts fro r ot od s (or fro t r c ivi g 

od its If i ord r to si plif t od 1, t is sp cial cas is call d i tra 
mm i ati furt r o ). I gur 2 (lo r part) t r ad r a d tra si- 
tio rul s to b trigg r d a r qu st for s ar d acc ss is r c iv d. I gur 3 
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(upp r part) tra sitio rul s for a dli g r qu sts for clusiv acc ss ar d - 
pict d. or r adabilit t ssag t p s to b disti guis d ar surrou d d b 
bo s. 

r ad or rit iss t at caus s a r qu st to b s t is arbitraril g rat d 
b a s of oracl s. s oracl s co alo g as ssag s as 11, t ir t p s 
av t for cc.__ (cf. gur 2, upp r part). vrt ag trcivs sue 

ki d of ssag it g rat s t corr spo di g r qu st a d t rs a aiti g 

od . 1 asi g a acc ss is a dl d i t sa a . If t ag t s ds a 

r qu st for r 1 asi g a li t stat of t li is i validat d, t at is, t od 
as or liabl cop of t li a or . 

I our adaptatio of t od 1 t parts r lat d to data (to b s t it i 

t ssag s) ar discard d. i c t data do it r i flu c t co trol flo 

of t protocol b aviour (data do ot co trol a of t guards i t tra sitio 

rul s) or d t r i t prop rti s to b c ck d, do ot los pr ssiv ss 
of t od 1 a d our c cki g r suits. 

t t u cti s. sid t ssag t p t ag t’s b aviour dp ds o 

s V ral stat variabl s: r has (i j (p as of t curr t r qu st), tat ( i ) 

(stat oft local li cop i us ),a d i g( i j (flag for curr tl proc ss d 
r qu st). r( i jadt stof har rsofali ar also tak i to accou t. 

s fu ctio s ar local for ac ag t, t additio al para t r s is o itt d 

i gur s 2 a d 3. 

ss tructur . ssag is od 11 d as a qui tupl co sisti g of t 

t p of t ssag , t addr ss d ag t, t s d r ag t, t ag t i itiati g 

t r qu st a d t r qu st d li . 

ssag t p s r lat d to sh r acc ss ar : 



get: 
put : 
fwdget : 
swb : 

nack, nackc : 



r qu sti g a li fro its h m 

gra ti g a li to t r qu st r (s r of t r qu st) 

for ardi g t r qu st to a clusiv o r of t li 

r qu sti g a rit -back of a o d li t at is to b s ar d 
gativ 1 ack o 1 dgi g t r qu st or for ard d r qu st 
(nackc), if it ca ot b p rfor d o . 



tra sitio rul s t at ar r lat d to r qu sts for s ar d acc ss ar giv 

i gur 2: t circulatio of a “g t”-r qu st. g t-r qu st a it r b (a) 

gativ 1 ack o 1 dg d if a ot r r qu st o t li is air ad proc ssi g 
( i g( i j is tru ), or (b) it is for ard d to t curr to r if t r is 

air ad a clusiv acc ss ( r( i j ot u d d), or (c) it is gra t d to 
t r qu st r if o o r is ot d ( Is cas ). If t r is a o r (cas (b) 

abov ), t gra t for s ar d acc ss is giv b t ag t ic “b li v s” to 

b a o r, a d, or ov r, t o r as to r 1 as its clusiv cop . If a 

ag t g ts a for ard g t-r qu st a d do s ot agr to b t o r of t li 

(State{l) is ot clusiv ) t t r qu st as to b gativ 1 ack o 1 dg d 
as 11. 



I a alog , ssag t p s r lat d to c usi acc ss ar : 



getx : r qu sti g a li for clusiv acc ss fro its h m 

putx : gra ti g a li for clusiv acc ss to t r qu st r 
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if MessType = | cc. t | A CurPhase{l) = ready 

t 



d sg{ t,home{l), s lf,s lf,l) 
CurPhaseil) : = wait 



if MessType — cc. t A CurPhase{l) = ready 

t d sg{ t ,home{l),s lf,s lf,l) 

CurPhase{l) : = wait 



cc.rp 



if MessType = 

t d sg{rp ,home{l),s lf,s lf,l) 

Stateil) := invalid 



A CurPhase{l) = ready A State{l) = shared 



if MessType = \ cc. | A CurPhase{l) = ready A State{l) = exclusive 

t 



d sg{ ,home{l),s lf,s lf,l) 
State{l) := invalid 



if MessType = t 

t pending il) t d sg{ c , source, s If, source, 1) 

s if Owneril) 7 ^ d f 

t d sg{f t,Owner{l), s If, source, 1) 

pending{l) : = true 
s d sg{p t, source, s If, source, 1) 
Sharer{l,s rc ) := true 



if MessType = f t 

t if State{l) = exclusive t d sg{p t, source, s If, source, 1) 

d sg{s ,home{l),s If, source, 1) 
State{l) : = shared 
s d sg{ c , source, s If , source, 1) 

d sg{ c c, home{l), s If, source, 1) 



if MessType = p t 

t curPhase{l) : = ready 

if curPhaseil) 7 ^ invalid 
t State{l) := shared 



if MessType = [s | 

t Sharer{l, s rc ) : = true 

Sharer{ r{l),l) := true 
Owner{l) d f 

pendingil) : = fals 



if MessType = | c_ 

t curPhase{l) : = ready 



if MessType = c c 
t pendingil) : = fals 



1 r 



spo di g o a r qu st for s ar d acc ss 
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if MessType = t 
t if pendingil) 

t d sg{ c , source, s If, source, 1) 

s if Owner{l) 7 ^ d f 

t d sg{f t ,Owner{l), s If, source, 1) 

pendingQ,) : = true 
s if 3u : Shareril, u) 

t 'iu Sharer {I, u) d sg{i ,u, s If , source, 1) 

pending{l) : = true 
s d sg{p t , source, s If, source, 1) 

Owner{l) : = source 



if MessType = f t 

t if State{l) = exclusive 

t d sg{p t , source, s If, source, 1) 

d sg{f c ,home(l),s If, source, 1) 
State{l) : = invalid 
s d sg{ c , source, s If , source, 1) 

d sg{ c c,home{l),s If, source, 1) 



if MessType = p t 

t State{l) := exclusive 

CurPhaseil) : = ready 



if MessType = c 

t if Owner{l) / d f 

t Owner{l) : = 

pending{l) : = 



source 

true 



if MessType = |j | 

t d sg{i c ,home{l),s If, source, 1) 

if State{l) = shared 

t State{l) := invalid 

s if eurPhaseil) — wait 

t curPhase{l) : = invalidPhase 



if MessType = | i c 

t Sharer {I, Mess Sender) := fals 

if Va : Agents \ a 7 ^ MessSender A Shareril, a) = fals 

t d sg{p t , source, s If , source, 1) 

pendingil) : = fals 



rp 



if MessType = 
t if 3u : Shareril, u) 

t 



A -^pendingil) 
Shareril, u) ;= df 



if MessType = | | 

t if Owneril) / d f 

t Owneril) : = d f 



i r 3. spo di g o a r qu st for xclusi acc ss 
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fwdgetx: for ardi g t r qu st for clusiv acc ss t o r of t li 

inv : r qu sti g a curr t shar r of t li to i validat its local cop 

invAck ; ack o 1 dgi g t i validatio of t li 

fwdAck: o r’s gra ti g accordi g to a for ard d s ar d r qu st. 

corr spo di g b aviour is s o i gur 3: t circulatio of a “g t 
r qu st. gai , t clusiv r qu st a b gativ 1 ack o 1 dg d if a ot r 

r qu st is i proc ss air ad , or it is for ard d to t o r if t r is o 

ot d. I additio to t g t-r qu st av to tak car for possibl s ar rs 
if t r is o o r. ac of t s ar rs of t li as to b i for d about 

t r qu st for clusiv acc ss (b s di g a inv- ssag ). g tti g a 

inv- ssag , s ar r as to i validat its cop of t li a d r spo s it a 

ack o 1 dg t of i validatio (s di g invAck- ssag ). ac of t 

s ar rs as s t its i validatio ack o 1 dg t to o a gra t for clusiv 

acc ss is s d to t r qu st r (i. . s di g putx- ssag is d la d u til all 
invAck- ssag s ar r c iv d). 

or r 1 asi gas ar d or clusiv cop fro its cac a ag t s ds a 

rit -back (wb) or a r plac ssag (rpl) to h m . ag t as to b d 1 t d 
fro t list of s ar s or ot b i g o r a or . 

t f t 1 

di g a ssag is giv as a aero d itio . I t abstract od 1 of [3] 

sg adds a ssag to a (possibl i it ) s t of ssag s i tra sit usi g 

t extend rul co structor. strat g for r c ivi g a ssag fro t is s t 

is ot sp ci d. or t proof it is just assu d i [3] t at t ssag s ar 

r c iv d i t rig t ord r. I ord r to for alis t is assu ptio a d to k p 
t od 1 it ad to r t od 1. a s of t r t 

r strict t od 1 cludi g t os ru s, i ic a ssag is s t but v r 
r c iv d, or s t but ov r ritt b a ssag t at is s t lat r. at is, 

a t to clud t at ssag s a r c iv d i a diff r t ord r t a b i g s t. 

it out our r ts t od 1 is it r i it (i [3] t s t of ssag s 

i tra sit is ot r strict d at all) a d i Id ro g cou t r a pi s as 11 (if 

r 1 o r stricti g t s t to b it o 1 ). ca ot guara t liv ss if 

ssag s abrcivdi a rog ord r. 

I ord r to avoid loss of ssag s a d to guara t t at t ord r of s di g 
ssag s a d r c ivi g a ssag is prop r, add a strat g of s c ro isa- 
tio : (a) i troduc a qu u for ssag s i tra sit for ac ag t. (b) 

ssag ca b s d o 1 if t qu u for ssag s i tra sit is ot full, (c) 

i t rl av t protocol b aviour it s c ro isatio st ps. ac st p of pro- 
tocol CO u icatio (sp ci d b t rul s giv i gur s 2 a d 3) is folio d 

bo st p of ssag passi g t roug . r t a d c ssar c a g s 

ar d scrib d i t folio i g subs ctio s. 

t http : //www. first .gmd. de/'kirsten t listi g of t r fi d - od 1 
ca b fou d. 
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3. u u f r ss si r sit 

I st ad of a dli g ssag s as tupl s d cid d to k p t co po ts of a 

ssag as si gl fu ctio s. ( at is to avoid u c ssar co pi it caus d 
b t u foldi g st p i t tra sfor atio .) for rl i it u iv rs 
MessInTransit is r plac d b it qu u s for ac ag t t at olds o of 
t ssag CO po ts: 

MessInTr: QLength * Agent -> Type, 

Sender InTr: QLength * Agent -> Agent, 

SourceInTr: QLength * Agent -> Agent, a d 
LineInTr: QLength * Agent -> Line. 

u iv rs s QLength, Agent, a d Line ar s ts t at ar it 1 r strict d b 
a a i al i d : maxQ, maxAgent, or maxLine. s co sta ts ca asil b 
adjust d i ord r to seal up t od 1 u d r i v stigatio . 

di g a ssag ( sg) is o sp ci d as app di g t ssag 

CO po ts to t corr spo di g fu ctio s: If n* is t s all st i d for ic 

t qu u for ssag s i tra sit is pt , updat all ssag -co po t- 

fu ctio s at t is i d . i dicat pti ss of qu u (n^) b a s of ssag 

t p noMess for t ssag t p co po t, i. . if (MessInTrCui, Oi)=noMess) 
is satis da d for all rij < rii it is ot, t rii arks t id for riti g t 

ssag to b app d. is is sp ci d b a s of t folio i g aero: 

transition AppendToTransit (agent_ , (sender_,mess_,source_,line_)) == 
if MessInTr (1 , agent_)=noMess 
then SenderInTr (1 , agent_) := sender_ 

MessInTr (1 , agent_) := mess_ 

SourceInTr (1 , agent_) : = source_ 

LineInTr (l,agent_) := line_ 
else do forall i in f 2..maxQ } 

if MessInTr((i-l) ,agent_) !=noMess and MessInTr(i,agent_)=noMess 
then Sender InTr (i,agent_) := sender_ 

MessInTr (i , agent_) := mess_ 

SourceInTr (i, agent_) := source_ 

LineInTr (i , agent_) := line_ 

endif 

enddo 

endif 

or r qu sts (i. . ssag t p is cc.get, cc.getx, cc.wb, cc.rpl) i - 

troduc a tra qu u for r qu st i tra sit MessInTrR. alogousl , d 

d a ic fu ctio s t at old o of t co po ts of a r qu st. di g of a 
r qu st ssag is sp ci d b a s of t aero AppendRequestToTransit 
t at looks si ilar to t app di g aero s o abov . 

3. ssi thr u h f ss si r sit 

di g of a ssag b a s of app di g it to t qu u of ssag s i 
tra sit, is o 1 o alf of t ssag c a g . s a s co d st p av to 
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sp df o t ssag s i tra sit ar r ad b t ag ts to b addr ss d, t at 
is o ssag s ar passi g t roug (cf. ig. 4). 

ac ag t olds a rr t m ssag ( ic is s to b pt if its t p 
quals to noMess). gai od 1 t curr t ssag b a s of its co - 

po ts: InMess, InSender, InSource, a d InLine ar d a ic fu ctio s ov r 
do ai Agent. curr t ssag is d liv r d b passi g t roug t rst 
1 t of t tra sit-qu u s MessInTr a d MessInTrR (s ig. 4). ot , t at 
r qu sts av lo r priorit t a ssag s, i. . a r qu st is pass d t roug o 1 
if t r is o ssag i tra sit 1 ft. 



MessInTr 




1 2 maxR 



i r . ssag passi g t roug fro ssl ra sit to I co i g ssag 



roc ssi g t curr t ssag a d d liv ri g a ssag op rat s o t 

sa d a ic fu ctio s of t od 1. I ord r to avoid raci g av to i t r- 
1 av bot st ps: ssag proc ssi g of t ag ts a d ssag passi g t roug . 

t d t ov rail b aviour b a s of a sub-st p for s c ro isatio . I 

t s c ro isatio st p t ssag s ar pass d t roug to t addr ss d ag t 

i t prop r ord r. 

la od 1, i troduci g a sub-st p (to b proc ss d aft r ac stat 

tra sitio ) is structur pr s rvi g: i additio to t for ssag proc ssi g 

sp cif a for t ssag passi g t roug . at is, do ot av to 

i t rf r t ordi ar tra sitio rul s (cf. gur s 2 a d 3) it tra sitio rul s 
for ssag passi g t roug . ov rail main i vok s bot “sub- ” 

agent_behaviour a d message_passing i tur : 

transition main == 
if toggle = behave 
then agent_behaviour 
toggle := sync 
else (* if toggle = sync *) 
message_passing 
toggle := behave 

endif 

aki g t is, b t fro t cl ar a d u d rsta dabl structur of t 
abstract od 1 1 at is giv b [3] . 
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3.3 ci itu ti f r tr - - u ic ti 

ad g situatio s (i. . si ulta ous updati g of t sa locatio t roug dif- 

f r t rul s) is dud d si c appl a i t rl avi g s a tics to t ag ts 

ru i g i parall 1, a d i troduc sub-st ps for ssag passi g t roug (as d - 

scrib d abov ). Ho v r, raci gab caus d b i tra mm i ati : 

0 k p t od 1 s all do ot disti guis t r t r qu sti g 

od is also o of t li u d r r qu st or ot. at is, if t o of a li 

a ts to av s ar d or dusiv acc ss of its o li , it as to proc d i t 

sa a as all ot r od s as to, i. . s di g a get/getx- ssag to its If. 

If r qu st r is also o of t li it a app t at t o ssag ar to 

b s d si ulta ousl to t sa addr ss. rad g situatio occurs, o of 

t ssag s (t rst of t o updat s) ill b lost. (I gur s2ad3t radr 

a d sue situatio s i t fwdget-rul a d t fwdgetx-rul .) 

I ord r to avoid raci g i troduc t r ssag t p s t at co bi 

t o ssag s: put_swb, putx_fwdAck, a d nack_nackc. v r t sourc of 

t ssag (i. . t r qu st r) is qual to t o of t li u d r r qu st, 

s d o of CO bi d ssag s i st ad of s di g t o si gl ssag s. ccordi g 

to t ssag t p s i troduc also rul s t at co bi bot of t rul s 

t at av to b r d r c ivi g sue ssag s. 

4 It f 1 c i 

tak od 1 c cki g of t tra sfor d od 1 as a volutio ar pro- 

c ss of d buggi g: dit t od 1, tra sfor it auto aticall i to a 

od 1, ru to c ck t prop rti s u d r i v stigatio , si ulat t 

r sulti g cou t r a pi (if a ) it t orkb c , a d dit t 

od 1 agai . s t d buggi g proc ss is or fRci t if t od 1 c cki g 
t r i at s i a r aso abl spa of ti k p our od 1 i t b gi i g as 

s all as possibl . d t at, v if t od 1 is r strict d to t o co u- 

icati g ag ts a d o li of or , d t ct rrors i t abstract od 1 
as 11 as i our r t. I t folio i g d scrib s m of t d t ct d 

rrors as a pi s. rrors rais c cki g t od 1 for s f t ad 

1 ss, i. .: 

o t o ag ts av clusiv acc ss o t sa li si ulta ousl . 

ac r qu st ill v tuall b ack o 1 dg d. 

V r a ag t g ts s ar d acc ss o ill ot it as a s ar r. 



corr spo di g listi gs of t cou t r xa pi s ca b fou d i t app dix of 
t full rsio oft is pap r to b fi d o http: //www. first . gmd. de/'kirsten. 
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for alls t s r quir ts i , -g- ■ 

( ! (State(a(i) ,l)=exclusive & State(a(j) ,l)=exclusive))] 
/\JAG (curPhase (a(i) , 1) = wait -> AF (curPhase (a(i) , 1) = ready))] 
/\JAG ( State (a(i) ,l)=shared -> AX (Sharer (1 , a(i) ) = true) 

I Sharer (1 , a(i) ) = true -> AX (State(a(i) ,l)=shared)) ] 

ur rst cou t r a pi s o s si ulta ous clusiv acc ss. si ulat t 
od 1 a d ru i to a rror t at ca also b fou d i t abstract 
od 1 of [3] : 

V r a putx- ssag is s t to gra t clusiv acc ss t addr ss d 

r qu st r as to b ot d as o r of t li . is is sp ci d for t 

getx-rul but it is issi g for t invAck-rul t at ig t also caus a 
putx- ssag to b s t (s also ig. 3). protocol is u saf si c 
si ulta ous clusiv acc ss a occur, a d ritt data a b lost. 

t r cou t r a pi s ar d dicat d to t probl of raci g (i. ., co diets 

caus d b si ulta ous updat s) o t it ssag qu u . It oug our data 

spac is r strict d to a v r s ort qu u , ca d riv or g ral r arks 
for t ssag passi g via qu u s t at co c r t it li itatio of a qu u 

its If ( ic , i fact, is c aract ristic for ac possibl r ali atio ), .g.: 

ac s ar r of a r qu st d li as to proc ss t rul for i validatio 

(inv-rul ).Its ds a invAck- ssag to h m for ack o 1 dgi gt i - 

validatio . r c ivi g a invAck- ssag ,Amdltst s dr 

fro t list of s ar rs. It h m is s ar r too (i cas of i tra- od co - 

u icatio (s c. 3.3)), ad adlock a occur if t u b rofs ar rs 

is gr at r or qual tat 1 gt of t ssag qu u : A m a fail 
to CO pi t it t inv-rul t qu u is full ads di g a s- 

sag is ot possibl (si c v r ot r s ar r a av s t b for ) ; A m 

sta s bus a d ca ot proc ss t i co i g invAck-rul to cl ar t 

qu u . I g ral, fou d out t at t ssag qu u ust b larg r 

or qual t a t u b r of ag ts si c i t orst cas ac ag t is 
a s ar r a d ill s d si ulta ousl a invAck- ssag to t o 

od . 

corr ct our od 1 i t at r pi t guards of t r qu st-rul s 

(i. . rul s for cc.get, cc.getx, cc.wb, a d cc.rpl) passi g t r qu sts 

i tra sit t roug to t o of t r qu st d li . 

a pi s s o t at Ipful bord rli cas s ca b d t ct d or asil 

b a odlc ckrta b pur si ulatio . co putatio al ffort for t 
auto at d tra sfor atio of our od Is ra g s fro t r to v s co ds. 
si oft r sulti g od Is is giv b lo r t diff r t colu s i Id 

oug t t ird sp cificatio is rat r ak, it i Ids Ipful cou t r xa pi s. 
disju ctio is c ssar du to t fact t at t s qu c i t at t corr spo di g 

updat s occur ( oti g a stat to b s ar d a d addi gas arr)c a gs for diff r t 



sc anos. 
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t CO pari g r suits scali g up t para t rs for t u b r of ag ts 

a d li s."^ variabl ord rigisdtr i db t auto atic r ord ri g 
facilit t at is giv b t 



r sourc s us d: 


2 ag ts, li 


3 ag ts, li 


2 ag ts, 2 li s 


us r ti /s st ti : 


4.69 s/ . 3 s 


56 7.52 s/ .6 s 


7263.2 s/ . 6 s 


od s allocat d: 


7 5 7 


6 274 


2975 27 


t s allocat d: 


4 49664 


3774 736 


54657 24 


od s r pr. tra sitio r latio 


: 926 -b 7 


2 9 6 -t 2 


7 365 -t 96 



It oug c cki g our od 1 of t H protocol is o 1 f asibl for a 

s all u b r of ag ts a d li s, t r suits so t at t cou t r a pi s 
i Id tr 1 Ipful sc arios for locati g rrors. 



r f r ti I 

g ral approac for t tra sfor atio of tra sitio rul s i to 

cod is air ad d scrib d i [ 3]. t d d tra sfor atio algorit t at 

i clud s t tra sfor atio of -ar d a ic fu ctio s ( it n > ) ca b 

fou d i [2] . as d o t is fou datio a t to add so or g ral r arks 
r CO c r i g t sibilit a d opti isatio . I ord r to ak t is pap r s If 
CO tai i g r call our ai id as of tra sfor atio . 

. r sf r ti f it u 

basic tra slatio sc i troduc d i [ 3] ca b appli d to tra sfor i to 
a subs t of , r : (i) o I u r d a ic a d t r al 

fu ctio s ar alio d; (ii) t o 1 availabl data t p s ar i t g rs, bool a s 
ad u rat d t p s; (in) told d static fu ctio s ar t os corr - 
spo di g to pr d d op ratio s i (bool a op ratio s, +, tc.). 

s t s a tic od Is for ar ss tiall basic tra sitio s st s, 

t tra slatio of i to is v r clos : 

o -static fu ctio s (i. d a ic a d t r alfu ctio s) ar id ti d it 
locatio s a d t us app d o -to-o to stat variabl s; 
valu s of t data t p s ar app d o -to-o to co sta ts; 

applicatio s of static fu ctio s ar tra slat d to applicatio s of t corr - 

spo di g built-i op rators of 

at r ai s to b do is to r structur t progra i to a for r 

updat s of t sa locatio , tog t r it t ir guards, ar coll ct d tog t r. 

is is do i t o st ps. irst, tra sfor a progra P i to a 

quival t progra P co sisti g o 1 of a block of guard d updat s (i. ., 
rul s of t for if G then f(t) := t) b a s of a “flatt i g” tra sfor atio : 

xp ri ts r carri d out o a Itra -II static it 296 Had 

2 4 b or , t op rati g s st is olaris 2.6. 
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I-Rt]] 

I-RfI 



if Gj, then Rrp 



( if G A Gq^ then Rq’ 



if Gt then i??. 
if Gp then Rp 



=> [if G then Rq else -Rf| = 



if G A Gr then i??. 
if —^G A Gp then Rp 



if Gp then 



[ if ^G A G^ then 7?^ 



CO d, coll ct all guard d updat s of t sa locatio , t us obtai i g, 

for ac locatio loc occurri got 1 ft- a d sid of a updat i P , a pair 

{loc, {(G , t (G„, tn)}) ic aps to a s t of pairs (guard, rig t- a d 

sid ). uc a pair is tra slat d i to t folio i g assig t: 

ASSIGN nextCCp ]) : = 

case C[G I : C[[t ]] ; ... C|[GnIl : C|t„| ; 1 : C[/ ]] esac; 

r C[[.J d ot s r t — > co pili g fu ctio for t r s, ic 

is straig tfor ard for 

ordi ar tra sfor atio s o abov is t d d i ord r to tackl t 

la guag as CO pi t as possibl . av to clud , o v r, i it 

do ai s as 11 as t otio of import or export tra sitio rul s b caus 
t do ai s of a od 1 av to b ad a ot gro duri g a ru . ut 

a ot r rul co structor as 11 as arbitrar data t p s a d op ratio s (i 

particular, lists, it s ts, it aps a d us r-d abl fr 1 g rat d t p s, 

as provid d b - ) ca b us d it out r strictio . i it qua ti catio s 

ar also support d. 

I our approac r due a arbitrar ( it a d ) to 

ai probl r is t at i g ral do ot k o ic locatio is updat d 

b f{t , . . . , := t (if n > ) b caus t para t rs ti a b d a ic 

fu ctio s a d t us ca c a g t ir curr t valu . valuatio of a locatio is 

possibl if a d o 1 if all ti ar valuat d, i. . it r t ar static or av to b 

u fold to cov r all possibl valu s. us, t basic id a of t tra sfor atio is 

to it rativ 1 u fold a d si plif rul s u til all t r s ca b r due d to valu s 
or locatio s. 

r s ca b si pli d b a s of t tra sfor atio [[.Jp d d i a- 

bl , ic is t t d d to rul si a ca o ical a . 

rul -u foldi g tra sfor atio S, ic op rat s o clos d rul s sue as 
t progra P, is for all d d i abl 2. It orks as folio s: 



if t rul R CO sists of a block of updat rul s of t for ati := a , 
it t r i at s a d i Ids i? as r suit (t r is ot i g 1 ft to u fold); 
ot r is , it looks for t rst locatio I occurri g i R (but ot as 1 ft- a d 
sid of so updat rul ) a d u folds R accord! g to t possibl valu s of L 
I tur ,t u foldi g as to b appli d to t sub-rul s obtai d 

b substituti g t valu s cci for H i? a d si plif i g. 

ppl i g 5 to t (si pli d) progra [[FJ i Ids a progra P = 

f([[P]] ) ic is ss tiall a progra . 




. r a d ul 1 plihcatio 



r i p i c ti 

\x}p = x Vh = l 



[wIp = 



X = p{v) if w e do (p) 
V ot r is 



= Xi for ac i €{,... ,n} 



Ij- j- Ml _ / ® I • • • I®") if / static fu ctio a 

IJ{ 5 • • • 5 "j|p ^ ^ ,x„)) if / d a ic/ xt r al fu ctio a 

pi|p = I or |ti|p = f'{i') for so i€ { ^ 

lf(t = filt Ip,..., [[t„Ip) 

{ IGI p VI— tx ] • • • [[GI p VI— *x ] 

itlA}p = x = {x ,...,x„} (i. ., if I^IIp is a alu 

(Q V in I^Ip : Id p\„ ) 
ot r is . 

( r = A if Q = forall, = V if Q = exists). 

i p i c ti 

|skip|p = skip 

pt := tflilp = [tilp := Itfllp 

[P ...P„lp = IP]]p... [P„1 p 

r IRrh if [[GEp = tr 

[if G then Rt else i?F|p = s I.Rf]p if [GJp = f s 

i if Idp then Ii?T|p else I-RfJp ot r is . 

|do forall ii in A with G R']\p = 

{ lif G then R'jp ] ... [if G then P'Jp j 

if [dp = X = {x Xn} (i. ., if [AJp is ^ a-iu ) 
do forall v in [dp with [G] p\„ [P'| p\„ 

ot r is . 



ul foldi g 



If P as t for I := X . . . l„ ■= Xn, t £{R) = R. 
t r is : 

£{R) = if l = x then £{lR[l/x ]|0) 

else i± I = X then £{fR[l/x ]|0) 

else if I = Xn then £{\R[l /xn]\ii) 
r Z is t first locatio occurri g i R (but ot as 1 s of a updat rul ) 
a d {r , . . . , XtiI is t ra g of locatio 1 . 
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t rf ci th r h ck rs 

si g t as a tool for c cki g as t c oic for our rst approac 

i t is Id. is d cisio as guid d b t fact t at t s a tics of t 

od Hi g la guag (i. . t targ t la guag for t tra sfor atio ) is giv b 

si pi tra sitio s st s. at is, it is v r clos to t s a tics. I 

pri cipl , t ca asil b substitut d b a ot r od 1 c ck r t at is 

bas d o tra sitio s st s, too, .g., t ([4]) or t I ([5]). i c our 

tra sfor atio co sists of s v ral st ps: 

foldi g t -ar d a ic fu ctio s i ord r to g t a si pi it 

o 1 -ar fu ctio s ( a d ). 

2. latt i g t st d structur of t tra sitio rul s of t i ord r 

to g t s ts of si pi guard d updat s for ac locatio (i. . s ts of tripl s 

{location, guard, update -value)). 

3. ra sfor i g t i dividual s ts of guard d updat s i to our otio of ab- 
stract s ta of la guag . 

4. r tt pri ti g t od 1 giv i abstract s ta of t la guag i to 

cod . 

I ord r to d V lop a i t rfac to a ot r od 1 c ck r t at tr ats a ki d of 
tra sitio s st it is obviousl suffici t to substitut o 1 t last t o st ps 

of t tra sfor atio . 

.3 pti is ti ssu s 

i c ffici c is a crucial poi t for t od 1 c cki g approac also av 
to focus o opti isatio issu s. r suits of t i v stigatio s so far ar su - 
aris d i t folio i g t o poi ts: 

c ti f i . I [2] t rul u foldi g is for all giv b t 

sc as o is ctio 5. (s tabl 2). 

or t i pi tatio of t is sc a id ti d a crucial poi t for op- 
ti isatio : s t of locatio s to b u fold d (i. . substitut d b t ir valu s) 

s ould b or r strict d. r gard all bool a op rators, .g. ot, a d, or, 
qual as rimiti ti s. It os locatio s t at occur as fu ctio para - 

t rs of o -pri itiv fu ctio s or app ar at t rig t a d sid of updat s or 

quatio s ar to b substitut d. ocatio s t at app ar as -ar fu ctio s o 
t 1 ft a d sid of quatio s (i. . i guards) or as para t rs for pri itiv 

fu ctio s s ould ot b u fold d. It oug t is opti isatio s s to b obvi- 
ous it is crucial for our approac i ord r to k p t tra sfor atio ffici t 
(a d f asibl ) v for larg od Is. i c t tra sfor atio sc a giv i 
[2] sugg sts t austiv us of i ductio ( v or si c i pi t our 

tra sfor atio b a s of ) it app ar d t at additio al cas disti ctio s 
ar crucial. it t r sulti g opti is d tra sfor atio algorit ar abl 
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fu ctio t at is updat d o -d t r i isticall . r sulti g cod as a 
plai structur si c do ot ploit t otio of odul s or proc ss s giv 
i t la guag . I st ad, t tra sitio b aviour of all ag ts is sp ci d 

to b parall lads c ro ous but guard d b t curr t valu of s . si g a 

or laborat d odul structur i t targ t la guag ig t b t fro 

t otio of i t rl avi g s a tics of parall 1 proc ss. I [7] it is stat d t at 
t i t r al structur (t at r pr s ts t od 1) a b s all r i si 

for i t rl avi g as c ro ous t a for s c ro ous tra sitio r latio s. 

o i V stigat a possibl opti isatio of t tra sfor atio , dit d t 

cod of our ru i g a pi i t at i troduc d t od 1 structur 
appropriat 1 for sp df i g i t rl avi g ag ts. co par d t r sulti g 
od Is i t ir si of , ic is o of t asur ts for t od 1 
c cki g algorit . ( ot r o is t for ula to b c ck d.) 

corr spo di g ord r of stat variabl s is produc d b -reorder optio of 



it out us of proc ss s, or al tra sfor atio : 

BDD nodes allocated: 55446 
Bytes allocated: 6029312 

BDD nodes representing transition relation: 12444 + 54 

it US of proc SS but o 1 global variabl s: 

BDD nodes allocated: 76367 
Bytes allocated: 3473408 

BDD nodes representing transition relation: 11649 + 50 

it US of proc SS a d it locall d clar d proc ss variabl s: 

BDD nodes allocated: 89365 
Bytes allocated: 3670016 

BDD nodes representing transition relation: 13626 + 50 

t 1 ast for our a pi of t H protocol fou d t at t si of 

s t at r pr s t t corr spo di g od Is ar co parabl . r for 

k p t tra sfor atio it out ploiti g t otio of odul s i ord r 

to k p t i pi tatio as si pi as possibl . 

6 It r 

I [ ] a diff r t approac for auto at d v ri catio for is laborat d. 

pi 1 a r pr s ts a od 1 i d p d tl of its possibl i put b 

a s of a logic for co putatio grap s (call d *). r sulti g for ula 
is CO bi d it a *-lik for ula ic sp ci s prop rti s a d bot ar 

c ck d b a s of d cidi g t ir it validit . is addr ss s t probl of 

c cki g s st s it arbitrar i puts. Ho v r, pi 1 a co clud s t at t is 
approac is r strict d to it o 1 -ar d a ic fu ctio s a d r latio al 

i put. or a probl s, o v r, fou d t at t i put, or t viro t 

r sp ctiv 1 , prop r to t od 1 at a d is r strict d b c rtai assu p- 

tio s (as d scrib di c. . ). r strictio to -ar fu ctio s out ig s t is 




t odolog for od 1 cki g 
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pot tial b t. I [ ] so Ipful t or tical r suits of t od 1 c cki g 
a d t V ri catio probl for ar publis d. is i v stigatio t ds to 
d t li it of bot probl s i g ral i t r s of t ir d cidabilit a d 

CO pi it . 

I so cas s t for alisatio of a viro t b aviour t at is r strict d 
b assu ptio s is a co pi task, p ratio al s a tics (lik ) a i Id 

or CO pi solutio s t a a logical approac (lik t t poral logic ) . It 
ig t b us ful to facilitat t us r it for t sp ci catio of additio al 

assu ptio sot t r al b aviour. is approac is support d b t od 1 
c ck r ([4]). us, adapti g our tra sfor atio to t tool ig t b 

pro isi g. 

cas stud of H protocol t at is us d r i ord r to giv a 
a pi for appl i g our approac is i v stigat d it i ot r approac s as 
11. ost laborat d ork is publis d i [9]. ark ad ill i troduc d 

a t od r 1 i g o so call d aggr gati ti t at i Ids t r t 

r latio b t sp ci catio a d i pi tatio . ir approac for provi g 

corr ct ss is support d b a s of t it ractiv t or prov r . ivi g 
up o full auto at d support t ca tackl a broad r ra g of r quir ts, 
of cours . 

i g a d a iri- ara a i i v stigat d i [ 2] a slig tl si ilar ki d protocol 
for cac CO r c (but ot actl t H protocol) b a s of od 1 

c cki g, a 1 usi g . s do t clai t at “ ith t ss g 
rait a a a s this ah hr r t si ri g it 

s r r a ”. ut t i troduc d od 1, i co trast 

to t od 1 us d, lacks t possibilit to seal up asil b usi g pa- 
ra t rs. fou d t od 1, b i g or g ral but t co ds at t 

sa ti , 1 ads to a or cl ar a d u d rsta dabl structur t a od Hi g 

i plai la guag o 1 . 

Iso c ilia i [7] appli d t to a distribut d cac protocol, ut 

is od 1 of t protocol b i g spr ad ov r s v ral odul s is ot full 

i troduc da d t us difficult to u d rsta d. i c t applicatio is ot actl 
t sa as t H protocol ca ot r lat t ffort for c cki g ( 

si a d c cki g ti ) prop rl . 

7 cl i 

I pr vious ork ([ 3] a d [2]) a it rfac fro t or kb c to 

as pr s t d. tra sfor atio fro to t la guag co pris s 

t tr at t of d a ic fu ctio s of arit n > , ic is a crucial i prov - 
t, as ost sp ci catio s b t fro t abu da t us of para trie 
d a ic fu ctio s. 

I t is pap r gav a ov rvi of our p ri c it od 1 c cki g 
so far. It oug , our tra sfor atio ca tr at a gr at subs t of t 
la guag fou d t at i practic ost od Is av to b r d or 

t d d to t for t od 1 c ck r: i c assu ptio sot od 1 t at 
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ar stat d b sid s t ordi ar tra sitio rul s ar ot cov r d b t tra s- 
for atio av to add a prop r sp ci catio of t s assu ptio s i to t 
r sulti g - od 1. is ca b do b si pi ploiti g la guag f atur s 
of ( .g. t fair ss co struct), b furt r r t of t od 1 

at a d, or b sp cif i g viro t b aviour b a s of tra sitio 

rul s sue t at t giv assu ptio s ar cov r d b t tra sfor atio . 

practicabilit of t approac is d o strat d b a o -trivial cas 
stud : t od 1 of t H protocol. I ord r to t t od 1 for 

t od 1 c cki g proc ss av to r t od 1 i t at sp cif t 
ssag passi g b aviour. gav so a pi s for rrors fou d b t od 1 
c ck r t at ca ardl b d t ct d b pur at atical proofs, add due 
or g ral co strai ts for t od 1 at a d fro t cou t r a pi s. 

CO clud it so r arks o t i pi tatio of t tra sfor atio 

algorit CO c r i g t sibilit a d opti isatio issu s. 

ck ts. t a k b lo gs to t a o ous r f r s for t ir 

Ipful CO ts as 11 as t p a H rr a a d ius pp 1 astillo for 
a fruitful discussio s. 

f r c 

6rg r, Y. ur ic , a d . os ig. ak r Igorit : Y t ot r 

p cificatio a d rificatio . I . org r, ditor, ifi a i ad alida i 

h ds. xford i rsit r ss, 994. 

2. . 1 astillo ad . i t r. od 1 c cki g support for t ig -1 1 

la guag . I . raf ad . c art bac , ditors, r . 6 h I . f. 

, olu 7 5 of , pag s 33 -346, 2 

3. . ura d. od li g cac co r c protocol - a cas stud it H. I 

lass rad . c itt, ditors, r s. f h h f. f r a i f 
r i , , agd burg i rsit , 99 . 

4. . ilkor t al. s rs’ id . i s , ii c , 996. 

5. I roup. is: s st for rificatio ads t sis. I . H i g r 

lur, ditor, hi. f. ’6, olu 2 of , 996. 

6. . uski , . f It, a d . H i ric t. al. sta ford H ultiproc ssor. 

I hi. . r r hi r , 994. 

7. . c ilia . li d I h ki g. \u T cad ic ublis rs, 993. 

ar Hi. ol i g Ig bra od 1 f roductio 11. ast r’s t sis, 

i rsita di isa, 996. 

9. . ark a d . ill. rificatio of cac co r c protocols b aggr gatiuo of 

distribut d tra sactio s. h r f i g s s, 3 :355-376, 99 . 

. pi 1 a . od 1 cki g bstract tat ac i sad o d. I his 
I 

. pi 1 a . uto atic rificatio of abstract stat ac i s. I . Halb ac s 

ad . Id, ditors, r id d rifi a i , ’ , u b r 633 i 

, pag s 43 -442, r to, Ital , 999. 

2. . . i g a d .a iri- ara a i. cas stud i od 1 c cki g soft ar 

s st s. i / r r gra i g, 2 :273-299, 997. 

i t r. od 1 c cki g for abstract stat ac i s. 

rsal r i (s ial iss ), 3(5) :6 9-7 2, 997. 
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bstract tat ac i s ( s) [3, ] a b us d at i s orporat 
c olog to d sig a CO po t i a soft ar packag call d K . is 
a is t r a aero for “ i tabl alidatio a d i tabl o - 

structio ” d scribi g co cis It ai fu ctio alit of t is tool. tail d op - 

ratio al ti tabl s i cludi g .g. id rost r pla ca b auto aticall calcu- 

lat d fro ra data lik trai fr qu c a d i frastructur of a rail a s st 
or t s calculatio s sti atio s of trip ti s ar us d. i tabl s - t r 

CO struct d it K or ot r tools - a to b alidat d for op rabilit 

a d robust ss. o tio all t is is do b (p sicall ) dri i g trial ru s. 

it K t is costl for of alidatio ca b r plac d b d a ic si ula- 
tio of op ratio al ti tabl s od Hi g qua titati asp cts lik lociti sad 

trip ti s as accurat 1 as d d. 

o p rfor d a ic si ulatio of ti tabl s, t ol clos d-loop traffic 

CO trol s st is od 11 d it i K . od 1 is d sig d i a o- 

dular a it t r ai co po ts: trai sup r isio /trai tracki g, i - 

t rlocki g s st , a d rail a proc ss od 1. oft ar co po ts for trai 

sup r isio /trai tracki gad for t i t rlocki g s st ar o ada s part 
of r al trai op ratio . rail a proc ss od 1 o t ot r a d s r s to 

r plac t r al p sical s st (trai s, sig als, s itc s tc.) i t si ulatio . 

ur c a . ( ds.) pp. 6 — 66 

pr g r- r ag r d rg 
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od Hi g is bas d o discr t t si ulatio . t r co po ts 
CO u icat ia ts, ic ar tagg d it c rtai data a d sta p d it 

t (fictitious) ti of t ir occurr c . t us gi a a pi . rai sup r i- 

sio , .g., s ds a t at ti to t it rlocki g s st r qu sti g rout 
i t rlocki g s st , possibl aft r a i g r c i d a t ic fr s 
rout , s ds a t at ti to t rail a proc ss od 1 r qu sti g s itc 
to c a g its positio . rail a proc ss od 1 1 calculat s t dura- 
tio of rotati g t is s itc a d s ds a t to t it rlocki g s st to t 
ff ct t at s itc as arri d at t r qu st d positio at ti , tc. 

sid s t t r ai co po ts od Hi g t traffic co trol s st t r 

is as a fourt idd co po t t t a dl r, ic co trols t si ula- 
tio b r c i i g ts fro t isibl co po ts a d s di g t to t 

r sp cti addr ss i t appropriat ord r. 

rail a proc ss od 1 is bas do a p sical od 1 of dri i g accordi g 

to ic t crucial u rical calculatio s for d t r i i g sp ds, trip ti s tc. 

ar do . is p sical od 1 is a ot r idd co po t of K r ali d 

as a -I- -I- librar . 

urt r parts of K ar a co fortabl lad t si faciliti s to 
a al ad grap icall displa data of a si ulatio ru . I ca also b 

us d for isuali atio of si ulatio ru s (s figur ). 
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ss od 1 as 


b d sig d 


it s [3, ]. 


11 t 


ot r 


CO po ts of 


K a b 


d sig d a d i 


pi t d CO 


tio all 


it 


a d ritt 


++ cod . lo g 


it t is d sig a protot pical d 


lop 


t 


- 


iro t 

of K . 


as b 


built up, 


ic ca also b us 


d to ai tai t 


is CO 


po 
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is d 


lop 


t iro 


t supports a s 


a 1 ss fio fro 
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sp 


cifi- 


catio do 


to t 


cutabl 


cod . si gl 


sourc for 


K ’s 


rail 


a 


proc ss od 1 is a sp cificatio 


CO sisti g of for 


al parts tog t 


r it 


i 


for- 



al pla atio s. for al parts ar rul s a d static, d a ic, d ri d 

ad t r al fu ctio s ritt i - , t la guag of t orkb c 

[2] . sp cificatio co s as a coll ctio of H docu ts (s figur 2) . 
H p rli ks to a igat bt ussaddfi itio s of rul s a d fu ctio s ar 
g rat d auto aticall . for al parts ca b tract d auto aticall fro 
t H docu ts to b f d i to t fro t d of t orkb c , ic 

is us d for s ta a d t p a al sis. 

p sic d f dri i is t i c ud d i t r i pr c ss d . It s 
b d si d c ti s c p t f its 
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It d sig p as of t proj ct t orkb c as also us d for 

arl t sts of t od l(s). t t d of t d sig p as it as d cid d 

to att pt cod g ratio rat r t a ad codi g t air ad d bugg d 
od 1. 

It i pi tatio p as a cod g rator as b d lop d, auto a- 
ticall g rati g ++ cod fro t p corr ct - cod . I additio so 

rapp r cod for i t rfaci g t g rat d cod to t r ai i g co po ts, 

a d so lo -1 1 “librar cod ” as a d cod d. 

or al rificatio of t od 1 as ot b att pt d, t is as ot 

a goal of t proj ct. 

2.2 rt r si p t ti 

sig has 

quir t sp cificatio bas do pr d c ssor s st , d lop d i 
ti gs of t d sig t a , docu t d b i ut s of t ti gs (4 p rso s 

2 ks) 

sig of draft of cutabl od 1 ( p rso ks) 

ral c cl s of t sti g a d d buggi g usi g t orkb c [2] ( 

p rso ks + p rso ks) 

i of 2 draft of od 1 b d sig t a plus t r al r i rs 

(6 p rso s k) 

ral c cl s of i pro i g, t sti g a d d buggi g (2 p rso s 5 ks) 
a i has 

lop t of - to ++ cod g rator ( p rso 4 ks) 
p cificatio a d i pi tatio of additio al a d ritt ++ cod ( 
p rso 2 ks) 

I t gratio of K s st i cludi g t sti g a d d buggi g (3 p rso s 3 
ks) 

ocu tatio of rail a proc ss od 1 co po t a d fi al polls ( p r- 
so 6 ks) 

u i g up t at part of t abo list d ffort, ic as sp t o b alf of 

t rail a proc ss od 1 co po t of K , t is i Ids a total ffort of 66 

p rso ks. 

It is ot possibl , of cours , to co par t is ffort r liabl to t corr spo - 
di g ffort i a co tio al soft ar d sig proc ss. ut a roug sti atio 
do b a p ri c d progra r i ti at 1 fa iliar it K sa s t at 
t d sig (i cludi g d lop t of t ++ cod g rator) as c - 

d d a CO tio al ffort b about %. 
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2. i + + 

(s r ++ g ra i 

ca. 3 li s of orkb c cod 

2 rul s 

3 5 fu ctio s a d r latio s (24 fu ctio s, 75 r latio s) 
7 d a ic 
69 t r al 
59 static 
6 d ri d 



+ + 



ca. 9 li s of g rat d ++ cod 

ca. 2 9 additio al li s of ad ritt ++ cod , co sisti g of 

ca. 4 li s rapp r cod for i t rfaci g to ot r co po ts of K 

ca. 2 5 li s lo -1 1 librar cod 

I t protot pical pr d c ssor s st of K t rail a proc ss od 1 

CO sist d of ca. 2 li s of ( a d ritt ) ++ cod . o b fair o as to 

tak i to accou t, o r, t at t is co po t - a i g b p ri t d 
it - ad gro o r ti (a d b co difficult to ai tai , ic as t 
r aso for r d sig i g it co pi t 1 ). 

3 pres 

It tur d out t at o of t ai ad a tag s of s for t is d sig as t 
parall 1 updat i . is ad it possibl to od 1 1 rail a proc ss i sue 

a a t at ac stat of t od 1 corr spo ds to a “s aps ot” of t 

irtual p sical proc ss tak at t occurr c of a “r 1 at discr t t”. 

u to t is, o ca al a s a a cl ar pictur of t p sical stat s aps ot, 

o ic au iliar co putatio s (sp cifi d b static a d d ri d fu ctio s) ar 
bas d. 

K d lop rs a d r i rs ot co c r d it for al t ods ad o 

probl s to u d rsta d t od 1. possibilit of arl t sts b cu- 

ti g t od 1 it t orkb c as r Ipful a d u co r d 

bugs also i ot r co po ts of K at a arl stag . 

o s rious att pt as b ad to asur t pot tial p rfor a c loss 
du to t us of g rat d ++ cod . o pariso to t pr d c ssor s st of 

K as b possibl o 1 o o a pi , for ic t data app d to 

b a ailabl i bot s st s. I t is s all a pi p rfor a c of t pr ious 

s st as about 3 % b tt r t a t at of t curr t K s st . or t 

ti b i g t p rfor a c probl as b 1 ft asid , si c it tur d out t at 
K ’s p rfor a c is good oug for t purpos t product is us d for. 

K is us d i four i stallatio s at t i a ub a p rator si c 

arc 999, o of t s i stallatio s b i g i dail us . p to o (i. . arc 
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2 ) t custo r r port d o bugs, ft r fi is i g t first rsio of K , 

t o bugs i t rail a proc ss od 1 a , o r, b disco r d i t sts 
duri g d lop t of t s co d rsio . K d lop rs a ot t 

fa iliari d t s 1 s it t sp cific tools. g rat d ++ cod 

b i g r adabl oug t c os to i pi 1 1 porar fi s of t to bugs 

b ad acki g t g rat d ++ cod , a d to postpo corr ctio of t 

od 1 u til t faults ar a al d or t oroug 1 . 



c ts. t a k our coll agu s of t K t a for t ir 

op attitud to ards t is pio ri g us of sad for a ar of jo abl 
a d fruitful coop ratio . urt r or t a k ius pp 1 astillo for t 
p r issio to us arl rsio s of is orkb cad for t support 

obtai d fro i . 

f r c s 

"r r d . u i s. bstr cttt cis - : td 

ih i T p . ull i f , 64: 5- 7, bru r . pd t d bib i r p 

i b t ttp:// . cs.u ic . du/ s . 

ius pp sti . r - I irmfrmur 

i I sis li i f m Is. t sis, i rsit f d rb r , 

t pp r. 

3. uri ur ic . i br s 3: ip ri uid .1 . "r r, dit r, i 

i li i s, p s -36. f rd i rsit r ss, 5. 
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r c 



c 1 



icr 



ik ar tt, go org r*, Y ri r ic , 
olfra c It , a arg s a s 

icr s ft s arc , icr s ft a , d d, , 

{mbarnett, boerger, gurevich, schulte, margus}@microsof t . com 



c . ur g al is t pr id a rig r us t d, cl ar tati a d 

c i t t 1 supp rt f r ig -1 1 s st d sig a d a al sis. r 

t is purp s us abstract stat ac i s ( s). r d scrib a 

particular cas stud : d li g a d bugg r fa stack bas d ru ti 

ir t. stud pr id s id c f r s b i g a suitabl t 1 

f r buildi g a I d Is f s ft ar s st s ari us abstracti 

1 Is, it pr cis r fi t r lati s ips c cti g t d Is. ig 
1 1 d Is f pr p s d r isti g pr gra s ca b us d t r ug- 

ut t s ft ar d Ip t c cl . I particular, s ca b us d 
t dlitrc p tbair a dsirdl Ifd tail. is 
all s t sp cif applicati pr gra i g i t rfac s r pr cis 1 

t a it is d curr tl . 

r c i 

is pap r scrib s a cas st o t s of s as s pport for sig 
a a al sis of soft ar at icrosoft. I or r to s s a tool 

for c ti g sit grat it t icrosoft progra i g iro t, 
i partic lar it t t t or [5]. lop a 

protot p call s H gs [ ] b t i g t H gs s st [2] ic is a 
i pi tatio of t la f ctio al progra i g la g ag Hask 11. s H gs 

is i a a s si ilar to s of r [ ] b t H gs abl s to s H/ ir ct [6, 
7] for i t gratio it . tail t c ical r port of t is cas st is i 

pr paratio [3] . 

t s t e se tu ut? 

pr s t a o 1 for a CO a -li b gg r of a stack-bas r ti i- 

ro t. o 1 as r rs - gi r fro t b gg r ic is ritt 

i -I— I- a ic s s a partic lar applicatio progra i g i t rfac ( I). 

a i fact t r o Is of t b gg r, ac at a iff r t 1 1 of ab- 

stractio . for a r t i rare r ac r t r latio s ip 

is a proc ral abstractio . 

* isiti g r s arc r fr i rsita di isa, iparti t di I f r atica, I- 6 

isa, Ital , boerger@di.unipi.it 

ur c a . ( ds.): pp. 67— 7 

(c) pr g r- r ag r d rg 
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.2 is rticul r se tu ? 

r oti atio as to st t applicabilit (a i t grabilit ) of s to 
icrosoft soft ar . oft ar at icrosoft is g rail ritt i o 1 s, or 
CO po ts. s oft for cli t/s r r r latio s ips r a co po t 
a f ctio bot as a s r r a as a cli t. cli t a a s r r i t ract 
sol 1 t ro g a stablis I. I is a s t of proc r s to ic all 

CO icatio is r strict . b gg r i q stio is a applicatio progra 

for - s rs. It is a cli t of t g s r s. 

ppos o a t to rsta o t I orks it o t r a i g t 
CO . Yo a a sp ci catio it It rfac itio a g ag (I [5]) 

icgisoolt rlats^ <rs. i r orki gs of t I’s 
tosar i ;t ola itio al i for atio o a is a i for al 
at ral-la g ag scriptio . c scriptio s a b i co pi t a b co 
oft i CO sist t it t CO , as t co ol s o r ti . b io si , t r 

is o a to for all fore corr spo c b t co a its at ral- 
la g ag scriptio . t o ai probl s it si g progra co its If 
as oc tatio ar t s . irst, t co is s all g a id s too 
a irr 1 a t tails. co , t co ig t ot b a ailabl for propri tar 
r aso s. 

I t is st , ola partic lar progra b t o r i t r sts ar broa r: 
o to s s to b tt r sp df t Is b ic iff r t co po ts 

i t ract. o 1 pro i s t issi g i for atio at t appropriat 

1 1 of abstractio so t at t s r of a gi co po t ca rsta bot 

t b a ior of t co po t a t protocol t at t s r is s ppos to 

folio i or r to ploit t b a ior. ac to is sp ci as a r 1 , a 

t ali patt r s of calls ar r fl ct it stat . 

s part of a broa r proj ct, also b ilt a o 1 of t ot r si 

of t I: t b g s r ic s (to b scrib i a fort co i g r port); t 
b gg r o 1 as a al abl so re i t at co t t. 

.3 

icrosoft soft ar is s all co pos of co po ts. s ar r all 

j st static CO tai rs of t o s. I or , o ill a ic-li k li- 

brari s ( s); a librar co tai so or or co po ts (i co pil for ). 

is a la g ag -i p t as 11 as ac i -i p t bi ar sta ar 
for CO po t CO icatio . I for a co po t is co pos of 

t r s; a i t rfac is a acc ss poi t t ro g ic o acc ss s a s t of 
t o s. cli t of a CO po t r acc ss s ir ctl t co po t’s 

i r stat , or car s abo t its i tit ; it o 1 ak s s of t f ctio alit 
pro i b iffrt tosbi t it rfac (or b r q sti g a iff r t 
i t rfac ). 
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.4 te r ti it 

riti g a c tabl o 1 for a cli t of a co po t r q ir s t at 

it r o o 1 also t s r r si oft it rfac s (a t a b t 

CO po ts for ic t at s r r is a cli t, a so o ) or o it grat o r 

o 1 i to t iro t a t s ak it possibl for o r o 1 to 

act all call t co po t. o t latt r. H/ ir ct pro i s a as 

for a Hask 11 progra to co icat it co po ts bot as a cli t 

a as a s r r. or t b gg r o 1, bot o s (t cli t a t s r r) 

ar . s r r o is b ca s t b g s r ic s I sp ci s 

t i t rfac t at t cli t st i pi t. b g s r ic s s t 

callback i t rfac to ak as c ro o s proc r calls to t o 1. Ho r, 

H gs is a s q tial s st . I or r to s it i a as c ro o s Iti-t r a 

iro t, a o i catio of t H gs r ti as r q ir . t r 

o i catio s of t H gs r ti r to alio t o tsi orl to 

i ok H gs f ctio s. 

11 1 r of t b gg r o Is i t cas st , t ost r o 
(t gr o 1), ar s q tial s ( ric it so Hask 11 f ctio- 

aliti s) . gro o 1 co icat s it t o tsi orl . q stio 
aris s o to i t at co icatio i t r s. alls fro t gro 

o 1 to t b g s r ic s ar i ocatio s of t r al f ctio s. alls i t 

ot r ir ctio (t callbacks) app to b or sp ci c: callbacks ar p at s 

of liar o itor f ctio s. 



cas st is to o 1 a sa pi b gg r of a partic lar r ti iro - 

t. ai goal of t is b gg r is to ill strat a corr ct a to s t 

b ggi g s r ic s pro i b t at r ti . ig r . o t 1 ss, t 
b gg r as or t a 3 k li s of ++ co a ibits co pi b a ior, 
parti to t i ol t of s ral as c ro o s ag ts (t s r, t r - 
ti a t op rati g s st ), b t ostl b ca s of t co pi it of t 

b g s r ic s t at pos abo t 5 it rfac s a 25 t o s. 

car f 1 a al sis of t b gg r, ai 1 b a al i g t so rc co ,1 

s to a r t i rare co sisti g of t r o Is. a al i g t ca sal 

p ci s of iff r t actio s r ali t at t co plicatio s to t 
s i gl as c ro o s b a io r co 1 b co pi t 1 a oi , ic abl 

s to o 1 t b gg r b a s g t . sig cisio s ic ar 

r fl ct b t r s Iti g b gg r o 1 r lat r ali at b r i g t 
o 1 as a r plac t of t act al b gg r. 

tr . abstractio 1 1 of t is o 1 is at t co trol 1 1. 

srea traco a ift bggrisiao rt sr 

as a pro pt. r ti iro t ca iss a callback to t b gg r 

o 1 if t latt r is p cti g a callback, t t is 1 1, t o 1 ff ct of a 

callback or s r co a is to c a g t co trol stat . 
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i . . bugg r a d t ru ti d bug s r ic s. 



2. t . is o 1 r fl cts t t or st t str ct r of 

t rl i g arc it ct r , a 1 t at o 1 s co tai class s, class s 

CO tai f ctio s, f ctio s co tai co , tc. rt r or , it pro i s a 

r strict i of t r t str ct r , a 1 t at proc ss s co tai 

t r a s, t r a s CO tai fra s, tc. t t is 1 1 actl t os co as 

ar o 1 t at ar i ti at 1 co ct to t co pil ti str ct r a 

to t r strict i of t r ti str ct r , s c as c tio co trol, 

br akpoi t co trol, a st ppi g co a s. 

3. r . is o 1 as t sa cor f ctio alit as t b gg r. 

It pro i s a or tail i of t r ti str ct r t a t obj ct 

o 1. s r CO as ali g it i sp ctio of t r ti stack, a 
CO t ts of i i i al fra s, lik i sp ctio of sp ci c obj ct 1 s, ar 
o 1 r . 





cti s b t 



t 



d Is a d t ru ti 
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I pri cipal, all o Is ar c tabl , it r it o 1 1 r ti or t ro g 

t r ts si g t act al r ti (s ig r 2). Ho r, i t for r 

cas , a prop r si latio ar ss as to b pro i . a pi of a t st 

ar ss b si g a “ i ar ” is ill strat i ctio 3.2. I a r lat proj ct, 

CO str ct a o 1 t at appro i at s t r ti . is o 1 co 1 

b s r to bo t r ti it ar ss. 

c ti g t CO trol o 1 si g t r ti , ac actio is i t rpr - 

t b s H gs ia t i icat r ts; co cti it is pro i 

b H/ ir ct. 



r r 

I t is o 1 CO si r t ai co trol o s of t b gg r. s os 
r fl ct o as t CO trol: t s r, t r ti , or t b gg r its If. 
t s r as CO trol, t b gg r pr s ts a pro pt a aits for i p t. 
b gg r aits for a r spo s fro t r ti t r ti as t co trol. 

c t r ti as r spo it a t, t b gg r as co trol a 

as to ci at o to tra sit to. s ill s , t is cisio is bas o 
partic lar prop rti s of t t a f rt r i p t fro t r ti . 





It 0 


g t CO icatio 


b t 


t r al b gg r 


a t r 


ti is 


as 


c ro 


0 s, t oc tatio 


of t 


b g I sp ci 


s t at t 


r ti 


iss 


s at 


ost 0 as c ro 0 s 


t at a ti ; b for iss 


i g t 


t t 


t 


r ti 


st r c i a ack 


0 1 g 


t fro t b 


gg r. rt 


r or , 


t 


CO 


icatio protocol b t 


t 


b gg r a t r 


ti s 


r s t at 


at 


ost 0 of t a a co trol. 


r for , s g t 


s s 


f&c for 


0 r 


0 


li g p rpos s. 











r ai r of t s ctio is str ct r as folio s. irst, ill la o t 
t CO trol o 1 i f 11 tail, i tro ci g t c ssar stat co po ts 

a t r 1 s as . co , ill r a partic lar s r sc ario t at ill 

i icat a possibl iscr pa c b t t r ti at o 1. i all , 
ill r t o 1. 

is a pi s o s a t pical s of a ig 1 1 o 1 ri g t sig 

p as i a soft ar lop t c cl . 



3. tr 1 el 

b gg r ca b i o of fo r o s. I Init o t b gg r it r 
as ’t b start t, or it as b t r i at .1 Break o t s r 
as t CO trol. I Run o t r ti as t co trol. I Break? o t 
b gg r as t CO trol. a ic f ctio , dbgMode, r cor s t 

o of t b gg r i t c rr t stat ; it as t i itial al Init. top 
1 1 r 1 of t b gg r is dbg. lo , do is s ort for do in-parallel. 

dbgMode = initVal Init 
dbg = do 




37 



ar tt t al. 



if dbgMode == Break or dbgMode == Init then handleCommands 
if dbgMode == Run then handleResponses 

if dbgMode == Break? then handlePendingEvents 

r ar t o o itor f ctio s, command a response, t at ar p at 
b t s r a t r ti , r sp cti 1 . I itiall , bot o itor f ctio s 
a a al t at i icat s t at o i p t as b t r b it r. 

command = initVal "nothing" 
response = initVal "nothing" 

ser c s. ca partitio s r co a s i to t r gro ps: co - 

a s for starti g a q itti g t b gg r, co a s t at a t co trol 

o r to t r ti ( .g. c tio co trol a st ppi g co a s), a co - 

a s t at o ot aff ct t co trol o ( .g. stat i sp ctio a br akpoi t 

s tti g). 

s r ca iss co a s o 1 if t b gg r is it r i Init o 
or i Break o . I t rst cas , t o 1 a i gf 1 actio is to start t 
b gg r. 

handleCommands = do onStart 
onExit 

onBreakingCommand 
onRunningCommand 
command := "nothing" 

onStart = if dbgMode == Init and command == "start" 
then do doCommandC start") 
dbgMode : = Break 

I Break o t b gg r a 1 s or al b ggi g co a s a it 

a s itc to Run o or back to Init o , p i g o t co a . 

onExit = if dbgMode == Break and command == "exit" 
then do doCommandC'exit") 
dbgMode : = Init 

onBreakingCommand = if dbgMode == Break and isBreakingCommand(command) 
then do doCommand (command) 

onRunningCommand = if dbgMode == Break and isRunningCommand(command) 
then do doCommand (command) 
dbgMode : = Run 

iri g of c tio co trol co a s a st ppi g co a s i pli s t at 
t CO trol is a o r to t r ti 

isRunningCommand(x) = x in? {"run <pgm>", "continue", "kill", 

"step into", "step over", "step out"} 
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trco asa offctot co trol o . 

isBreakingCommand(x) = 

not (isRunningCominaiid(x) ) and x != "exit" and x != "start" 

s tio abo , i t co trol o 1, a li g of co a s is a skip 
op ratio . is r 1 is r it obj ct o 1. 

doCommand(x) = skip 



11 c s. b gg r ca a 1 callbacks or r spo s s fro t r ti 

o 1 i t Run o . al oft o itor f ctio response is a callback 
ssag fro t r ti otif i g t b gg r abo t a r ti t. I t 

b gg r, ac t is classi it r as a st g t or as a st g 

t. 

handleResponses = do onStoppingEvent 

onNonStoppingEvent 
response := "nothing" 

onStoppingEvent = 

if isStoppingEvent (response) then do dbgMode:= Break? 

doCallback (response) 

onNonStoppingEvent = 

if not (isStoppingEvent (response) ) then doCallback(response) 

r akpoi t it ts, st p co pi t ts, a proc ss it ts ar al- 
a s stoppi g ts. I itiall isStoppingEvent is t folio i g ar r latio 

( ar ool a f ctio ). 

isStoppingEvent (x) = x == "step completed" or x == "breakpoint hit" or 

X == "process exited" 

Ho r, t r latio is a ic a a ol ri g a r as a r s It of 
a sp ci c s r CO a or a sp ci c r ti t. 

It CO trol o It act al a li g of callbacks is a skip op ratio . is 
r 1 is r it obj ct o 1. 

doCallback (x) = skip 



e i e ts. I Break? o 

b gg r s o 1 a t co trol o 
ar o g ts i t r ti 

r ti a t b gg r CO ti s t 



a stoppi g t as app a t 
r to t s r. is app sol if t r 
t r is t CO trol go s back to t 
c rr t proc ss 
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handlePendingEvent = do onPendingEvent 

onNoPendingEvent 

onPendingEvent = if isEventPending then do dbgMode := Run 

isEventPending := False 
doCommand ( " cent inue " ) 



onNoPendingEvent = if not (isEventPending) then do dbgMode := Break 

bool a f ctio isEventPending is o itor b t r ti 
CO trol o 1 is s ari b a stat iagra i ig r 3. 



onBreakingCommand onNonStoppingEvent 




i.. trl dlft d bugg r. 



3.2 i r - - peri e t 

a t to plor t b a ior of t 

it o t a i g acc ss to t r al r ti 

t o 1. i c r rs - gi r 

o 1 is tr 1 fait f 1 to it. I fact, a 
a s ak i to t o 1 it o t b 
to ak is t at t is for of t sti g 
p as . 

i c t act al r ti is issi g, 
abl s o s a r , it ro i icati 
aft r t ’t st p of t o 1. 



o 1 o a gi s t of s r sc arios, 
, a possibl pos co tra ictio s i 
: b gg r, ca ot clai t at o r 

rror t at ig t s o pa r 11 
i g i t b gg r. poi t at 
b s f 1 if s ri g t sig 

ill ask a “ i ar 
g t part of t stat 



’ to pla its rol . 
t at as c a g 
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m ft c tr 1 d 1. 





dbgMode 


command response isEventPending 




Init 


start 




Break 


bp hello.cpp:7 




Break 


run hello . exe 


3 


Run 


created process 


4 


Run 


loaded module 




Run 


created thread 


6 


Run 


hit breakpoint 


7 


Break? 


True 




Run 


loaded class 




Run 





r s o s t at aft r it a br akpoi ttrisap ig ti 

t r ti . ccor i g to t o 1, t c rr t proc ss is co ti at 

CO trol is pass tot r ti .Ittrsottatt p ig t asa 
o -stoppi g t (class as loa ) . b io si , t is b a io r co tra icts t 

p ct CO s q c of r ac i g a br akpoi t, altatt srsol 

g t t CO trol. t t is poi t a t o optio s to sol t probl : if 

ca CO strai t r ti to t t r strictio t at o 1 stoppi g ts ca 

ca s t isEventPending flag to b co tr , t t c rr t o liscorr ct; 
ot r is a to o if t o 1. c oos t latt r, s ig r 4. 



onBreakingCommand onNonStoppingEvent 




i..N Ctrl dlft d bugg r. 
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4 j c 

static a t a ic str ct r s of t r ti arc it ct r ar r fl ct 

i t obj ct o 1 it j st o g tail so t at o ca o 1 f at r s 
t at al it c tio co trol, br akpoi ts, a st ppi g, a plor t ir 
i t ractio . 

t s CO si r so a pi s. rst a pi is t r t of t 

s r CO a t at starts t b gg r. t t o a pi s sp cif at 

app s i t obj ct o 1 a o 1 is loa or loa it r ti 
call t at all t os r 1 s ar j st skip r 1 s i t co trol o 1. 



4. ser s 

t rti t e e u er 

doCommandC start") = do in-sequence 
coinitialize 

shell := newShell (services = newServicesInterf ace ( . . . ) , 

callback = newCallbackInterf ace ( . . , 

modules = {}, 

breakpoints = {}, 

debugee = undef) 

shell . services . setCallback(shell . callback) 

rst r 1 i itiali s t iro t. s co r 1 cr at s a 

b gg r s 11 it a poi trtot sricsa a callback. t ir r 1 
i ok s t s t allback to oft bgsrics it t callback 

i t rfac poi t r as arg t, t s pro i i g t s r ic s acc ss to t cli t’s 
callback t o s. 

4.2 11 c s 

i ules 

doCallback(<"load module" ,mod>) = do 

shell .modules := shell. modules ++ {mod} 
do in-sequence 

forall bp in shell .breakpoints do bp.bind(mod) 
shell . debugee . continue () 

o 1 is r cor i t s 11. s 11 att pts to bi ac of 
its s t of br akpoi ts to t at o 1 . c all bi i gs a b a (if 

a ), t b g is CO ti t ro g a t r al call. 

a o itt t bind r 1 t at c cks if t locatio t at t br akpoi t 
r f rs to i ists it o 1 . If t locatio ists, a r al br akpoi t 

is cr at at t at locatio t ro g a t r al call to t s r ic s; ot r is , 
ot i g is o . 
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1 i ules 

doCallback (<"unload module" ,mod>) = do 
shell .modules := shell. modules \ {mod} 
do in-sequence 

forall bp in shell. breakpoints do bp. unbind (mod) 
shell . debugee . continue () 

ff ct of loa i g a o 1 is to p at t s 11 a to r o all t 

br akpoi ts fro t at o 1 . 

4.3 e e ts 

r ar a co pi of t i gs ort otici g abo t t abo r 1 s. irst, t 

sig cisio to bi a br akpoi t t at a air a b bo i pli s t at if 

t r is a br akpoi t r f rri g to a locatio t at ists i t o or or isti ct 

0 1 s, t t br akpoi t is associat to all oft . co , all br akpoi ts 
ar a 1 si Ita o si ; t r ar o or ri g co strai ts b t t 

is is a t pical sit atio : i t act al ( -I— 1-) co t r is a li arl or r 

str ct r ai tai i g t 1 ts t at ar t proc ss s q tiall i t 
or r t r i b t str ct r . 

CO str cti g t obj ct o 1 t ct a is ate b t t 
a loa i g a loa i g of o 1 callbacks as i pi t . a 1 , alt- 
o g loa i g folio t sp ci catio abo , ri g loa i g of a gi o- 

1 , if a br akpoi t as bo to t is o 1 , t t at br akpoi t as ot 

o 1 r o fro t is o 1 b t fro t r o 1 s as 11. i ot 

isco r t is st i g t co , b t o 1 co str cti g t obj ct 

o 1. I fact, it is ar to s it fro t co , b t r a il appar t fro t 
o 1. 



r 

gro o 1 as t sa cor f ctio alit as t b gg r a ca b 
c t as a s H gs progra t at co icat s it t r ti b si g 
t H/ ir ct g rat gl co . It gi s a or tail i of t r ti 
str ct r t a t obj ct o 1. 11 t s r co a s, s c as i sp ctio of 

sp ci c obj ct 1 s, ar o 1 r . gro o 1 is f 11 scrib i 
t t c ical r port [3]. 

6 c i 

cas st ill strat s so partic lar a s t at s ca Ip t s st 
sig r: 
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s s r s st s. b gg r i ol s s ral as c ro- 

o s ag ts a i ol s abo t 5 it rfac s a abo t 25 t o s. 
si of t b gg r is abo t 3 K li s of ++ co . si of t 
sp ci catio ( ic ca b r , t o g ot as fast, a ic pro i s s- 
s tiall t sa f ctio alit ) is o 1 4K li s. to b ilt-i parall lis , 

t r s of o r ar s alio . I fact it tak s o 1 bo a st ps 

(1 ss t a ) to proc ss o s r co a i co trast to t ++ co 
ic a r q ir bo a st ps for t p rpos (t b r of 

st ps a p o t progra big b gg ). parall li atio as 
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CO (s ctio 4.3). 

str t t r t s . CO 1 asil s parat t o- 

Is, b t still for all ti t ia r ts, it o t losi g c tabilit . 

t r t r t s g str t s. It is r iffic It 

to t ct at t so rc CO 1 1 s c ig 1 1 b gs as t o s t at 

t ct it r lati as it t i ar -of- p ri t. obj ct 
o 1 abl s to t ct i CO sist ci s i t callback a ag t. 

o r p at, o r goal is to pro i a rigoro s t o , cl ar otatio a co - 

i t tool s pport for ig -1 Is st sig a a al sis. r ai tool 
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fo t parall Is c ro o s co str ct forall r s f 1. i ilar 

CO cl sio s r ra fro t alko proj ct [4]. 

t a list CO pr sio s t r o t to b r co it. 
fo obj ct ori t otatio s f 1 to str ct r sp cs, to i pro t ir 

r a abilit , a to li k t ir c tio to t obj ct-ori t progra i g 

para ig . 

r ali t at i or r for s to b s f 1 i icrosoft (or i 
a r is s ), o Is st ac i f 11 it rop rabi- 

lit . 

rst a t t ir poi t ar ill strat b t a pi s i ctio 4.2. 

c le e ts. tak igbjor i for Ipi g s it H/ ir ct 
ri g t CO rs of t is ork. 

r c 

s f r. http://www.tydo.de/AsmGofer/. 
ugs . http://www.haskell.org/hugs/. 

3. ik ar tt, g "rg r, uri ur ic , Ifra c ult , a d argus a s. 

si g s at icr s ft: cas stud . c ical r p rt, icr s ft s arc , 

d d, , . 

4. g "rg r, t r appi g aus, a d ac i c id. p rt a practical ap- 
plicati f s i s ft ar d sig . I his I 
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